Using a Key Past its Expiration Date

From Guidance Share

Jump to: navigation, search



The use of a cryptographic key or password past its expiration date diminishes its safety significantly.

Applies To

Languages: All Platforms: All



  • Authentication: The longer you keep a cryptographic key in service the more likely it is to be compromised. Once compromised a malicious user may use it to authenticate as the victim.


  • Failure to expire keys


  • Design: Adequate consideration should be put in to the user interface in order to notify users previous to the key’s expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.
  • Implementation: Many platform provided cryptographic systems, such as DPAPI on Windows, provide automatic key expiration. If you are using a system that does not automatically expire keys then ensure a policy is in place, and adhered to, to expire keys.
  • Run time: Users must heed warnings and generate new keys and passwords when they expire.

Vulnerability Patterns

How Tos

Personal tools