Frequent Password Change Policy: A Bad Idea
Fri Apr 28, 2006 11:26AM EDT
See Comments (48)
Many of you in heavy-duty corporate environments have to deal with one of my biggest pet peeves in all of technology: Changing your password on a quarterly, monthly, or more frequent basis.
CERIAS and tech security expert Eugene H. Spafford offers a biting and insightful essay on why this kind of policy is not only a useless idea, but a potentially dangerous one, too. It's a "best practice" that generated 30 years ago when some network administrator thought it would be a good idea. (That idea: That if someone already had access, if you changed your password, he wouldn't have it for long.) Well today's intrusion detection methods are much better, and the odds of someone having illegal access for a long period of time without being discovered are considerably lower. The "frequent change" policy is out of date.
But the policy stuck back then, and now we're stuck with it, despite there being no scientific basis that it actually increases security. (In fact, it's almost definitely harmful since people use a series of passwords that are actually easier to guess. Many people forced to suffer through this ridiculous policy simply use a series of simple passwords with a number on the end that increments every time they're forced to make a change: strawberry01, strawberry02, and so on.)
If you're fed up with constantly changing, and then forgetting, your password, print out this article (or forward a link), and hand it to your IT manager or whoever's in charge of your network. Just say no to overly frequent password changes!
Top 5 Posts
More About Miscellaneous
Comments on Frequent Password Change Policy: A Bad Idea
Post a Comment
Join in the discussion. Here you'll see the comments in the order they were posted.
-
2 Posted by tomw0605 on Fri Jan 19, 2007 10:59AM EST Report Abuse
I agree with the article and would support not having to change them as often. The only real advantage I see these days is that it still forces programmers not to hardcode passwords into an app. From the human perspective unfortunately it is not always a company's choice whether they want to comply with this policy or not. There are complience standards such as SOX and PCI among others that companies must comply with or be shutdown. Often time policies are formed and instituted on the perception of benefit and not on real world application or experience. I administer firewalls daily and I think that asking a customer for each of the networks that will need access into our systems and then setting up inbound ACLs on the outside interface for those source AND destination networks/host and specific application ports is the most secure method for allowing them access (whether I NAT on the inside interface or not is irrelevent). However our security department opposes any changes that have more than a few addresses in them. Saying that giving access to multiple class C segments opens us up to 100's or 1000's of potential points of attack. They insist I force the customer to NAT all of their traffic to a single or at most a few addresses. I have argued till I am blue in the face that this is less secure in that we loss ALL visibility into what is happening. We no longer have any record of the original source address or of the volume of data accessed by any single source address. Plus, in my scenario if you have a client with 100 users that need www access to a server you host and a 100 users that need DB access to a server you host, you can limit each group to only the server they need access to. If you force the client to NAT all traffic then you no longer have that control. You have to let the single address get to both servers. Granted that even in my prefered way the client could hide an unauthorized segment(s) behind an authorized IP but in that instance you would still see an unusual volume of traffic from an individual host. However, security's stance is that one paper it looks better and meets PCI requirements if we limits to access to a few IPs as possible.
-
3 Posted by midullaben on Sun Jan 21, 2007 5:49AM EST Report Abuse
Perhaps it would be better to not have a computer to protect what you do not want others to know. There is no password to unlock what is in the most powerful computer of all, our brain.
-
4 Posted by gardevoir_lv100 on Sun Jan 21, 2007 6:04AM EST Report Abuse
Reverse psychology: Who's going to guess something like "000" or " " (a space) as a password? Hackers are excluded because they have no life.
-
5 Posted by selune13 on Sun Jan 21, 2007 6:22AM EST Report Abuse
Amen!! I had one at my old work that insisted we change every month. I always just made the password the MMMMYYYY. I mean, who's going to come up with complex passwords every month.
Post a Comment
Sponsored Links
Videos
Gadgets You Might Like
Also on Yahoo! Tech
| Computers | Home Office | Wi-Fi & Networking | Phones & PDAs | Cameras & Camcorders | TV & Home Theater | Portable Audio |
|---|---|---|---|---|---|---|
1 Posted by seamusfurr on Tue May 16, 2006 8:44AM EDT Report Abuse
Well put. In my workplace, I have four different passwords, all with different requirements. Since it would defeat the purpose to write them down, I just have to have them reset every month or so when I get locked out. This is not security.