Per the title, I'm curious if the security-minded folks amongst us feel that forced password resets (particularly on Windows hosts) make a real difference. I understand it's not a philosophy that will change, as it's the stuff of baseline security, but am curious as to whether or not its value is perceived as high.
There was a widely-circulated study a few years ago that showed that those policies result in <i>lower</i> security.<p>The advantage of a forced reset is this: if your password has been stolen <i>but not yet used</i>, then you're locking the thief out.<p>The disadvantage is this: the greater password strength that is required and the more times someone has to come up with a new password, the more often they'll take shortcuts. Those shortcuts result in easier brute-force or heuristic attacks.<p>So if you look at the advantage, it's very small and potentially non-existent. It's rare to steal a password from a high-value target and then sit on it, especially for as long as a few months.<p>Looking at the disadvantage, it's actually very high, and it makes it easier to steal passwords in the first place.