> This was the rationale behind password change frequency rules too. If I can try 100 passwords per day, and I'm sure you've picked 1 of 1000000 passwords I have a good chance to find which one in a few years. But if you're forced to change it every 6 months then I'll never have more than a small chance to get it.

This is not how probability works. Password rotation is intended to prevent long term compromises from existing due to a leaked password. I'd debate if this actually has any effect, but that's another matter entirely.

>This is not how probability works. Password rotation is intended to prevent long term compromises from existing due to a leaked password. I'd debate if this actually has any effect, but that's another matter entirely.

Yes it is. Let's up the number to 1000 passwords per day. That means that I can check all passwords in the space in 1000 days, or 3 years. In other words, after 1000 days, there is a 100% chance I can access your account.

If on the other hand, you change your password to a new, random password each day, I have a 1/1000 chance of guessing it each day. Then after 1000 days, I have a 1 - (1 - 1/1000)^1000 chance[1] of knowing your password. That is, each day, I guess your password with P = .1%, so there's a 99.9% chance I don't. Then after 2 days, there's a 99.9% chance for day one, and of the remaining 99.9, there's a 99.9% chance I don't, continue on for 1000 days, and there's a 63.2% chance you ever accessed my account, not 100%.

In short, it converts the password cracking attempts form being correlated to uncorrelated over a long time scale.

[1]: As an aside, note that in this example that is ~1 - 1/e.

> if this actually has any effect

It has the effect of limiting the amount of time that a credential leak can lead to exploit. The focus is on long-term undiscovered compromise using valid credentials. If an attack is not discovered, and the credentials are never changed, the attacker might have access for years. If you're worried about something like corporate espionage, this mitigation is simple and minimal effort.

For really sensitive credentials, I would shrink the rotation period even more. The more often you're forced to do it, the more likely the process will become smoother.

I argue that most compromises are effectively instantaneous. There’s usually little value in being a persistent threat when it takes only a moment to, for example, dump a database or an IMAP folder. Forcing rapid rotations just encourages people to choose weak passwords or store them on post it notes on their screen.

And groups that value persistence (like APTs) rarely depend on passwords to provide it. Instead they map the environment and find a local vulnerability to exploit and create a place to hang out.

One of my employers had the Chinese in their networks for years. We all dutifully changed our passwords every 90 days and it made no difference at all to the Chinese persistence.

Right. The classic is an email account is compromised, a forward to rule is added, and nobody ever notices. It’s a false sense of security if preventing persistence is the goal. Usually instantaneous access is going to be the most disastrous effect anyway.