Many computing systems are configured to expire passwords on a regular basis. One reason for expiring a password is to improve security of the computing systems. The longer a password remains the same, the greater the risk that the password could be stolen by a malicious intruder. By regularly changing a password, the probability of someone stealing a password is greatly reduced.
In most conventional systems, passwords expire at a fixed time interval. The period at which a password expires is based on an estimate of how long it would take for an intruder to guess the password by brute force. This “estimate” was based on the computing speed of decades ago, and has no relevance to modern computing technologies. Thus, the length of expiration periods become arbitrary in most systems and can no longer be justified. Some other conventional systems expire a password when a predetermined number of logins has occurred, or when a predetermined number of days has passed since the last login. These predetermined numbers, in most systems, are also arbitrarily set and cannot be justified.
Therefore, there is a need to change the current policy for expiring passwords, such that computer security can be improved.