Frequent Password Change Policy: A Bad Idea

Fri Apr 28, 2006 11:26AM EDT

See Comments (48)

Many of you in heavy-duty corporate environments have to deal with one of my biggest pet peeves in all of technology: Changing your password on a quarterly, monthly, or more frequent basis.

CERIAS and tech security expert Eugene H. Spafford offers a biting and insightful essay on why this kind of policy is not only a useless idea, but a potentially dangerous one, too. It's a "best practice" that generated 30 years ago when some network administrator thought it would be a good idea. (That idea: That if someone already had access, if you changed your password, he wouldn't have it for long.) Well today's intrusion detection methods are much better, and the odds of someone having illegal access for a long period of time without being discovered are considerably lower. The "frequent change" policy is out of date.

But the policy stuck back then, and now we're stuck with it, despite there being no scientific basis that it actually increases security. (In fact, it's almost definitely harmful since people use a series of passwords that are actually easier to guess. Many people forced to suffer through this ridiculous policy simply use a series of simple passwords with a number on the end that increments every time they're forced to make a change: strawberry01, strawberry02, and so on.)

If you're fed up with constantly changing, and then forgetting, your password, print out this article (or forward a link), and hand it to your IT manager or whoever's in charge of your network. Just say no to overly frequent password changes!

Comments on Frequent Password Change Policy: A Bad Idea

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 26 Posted by vineet_10 on Sun Jan 21, 2007 11:54AM EST Report Abuse

    "Well today's intrusion detection methods are much better, and the odds of someone having illegal access for a long period of time without being discovered are considerably lower." WRT the previous statement, what if your next cabin collegue is spying on you? What if he somehow knew your password and now keeps snooping up on your email and other stuff? How can your intrusion detection systems catch him? He's on the internal network right? He's just sitting next to your cabin. Now you cannot rule this out by saying that ya well this might be just one scenario as compared to n number of hackers trying from an external source and the IDS not being able to stop this one user but being able to stop the n number of users so it still doing a good job. Well you would'nt want anyone whether internal or external reading your emails or snooping up on you right other than the Sys Admin who has rights from the company to do audits of this type periodically. Also you would'nt attach one IP address to each employee or even assign him to a particular subnet range and think this would be a logical solution. He might want to travel out of town and might want to access his machine from there for some legitimate reason like an important file transfer or for simply filling in his time sheets. IDS blocking legitimate external traffic like this would not be doing a good job. "The "frequent change" policy is out of date." WRT to the previous statement, I think the frequent password change policy is still not out of date and it makes sense to change your passwords periodically. This way even if someone internal breaks into your password but is not authorised to access your account wont enjoy the access priviliges for long. You change the password and he's out of the loop. He'd have to employ the same way to break in your password again. How many times would he want to do that? His task can be made more difficult and even impossible given the kind of machines he might have access to. The important question is that will the user be able to choose a strong password each time? Bruce Schiener has written an article on creating safe passwords at http://tech.yahoo.com/blog/null/13353;_ylt=An1Cs6M7l7JYj3vVPkdDFygSLpA5 Please notice another link on his blog which shows a chart about the time it would take for people to break into passwords created with various combinations.

  • 27 Posted by sapient_peak on Thu Sep 3, 2009 9:04PM EDT Report Abuse

    I've just got my network partitioned and then firewalled with a password at each of the firewalls. they have to hack though 7 firewalls before they can find anything important. the part that help my network the most was putting the password protection in odd places, buried under tons of useless information, and my network doesn't force the users to memorize new passwords monthly or however the others do it, we rotate the passwords to the differant levels of the network. we just watch the level of activity on each level, we know we have a hacker when any one level is getting more activity then the others, watch how deep they are, then when they get to the 5th level we boot everyone off the network and rotate passwords and notify employees of the rotation.

  • 28 Posted by d_gene_rowe on Thu Sep 3, 2009 3:50PM EDT Report Abuse

    My passoword or should I say passwords are all at least 15 digets and/or numbers that I pick at random and don't mean anything. Forget my pets name when I was 10 years old, forget my mothers birthday, forget anything about me and just try using all keystrikes times 15. My passwords are so difficult to figure out even I have a hard time remembering them. I HANDWRITE by passwords on a piece of paper that I hide. Even finding the piece of paper would be difficult and if you did you would not think that it would be anything as I have also written it in code. For example if the password is tt3bwrs5wplkvcn2zx I would write it down as tt3arwb5svklpwcn2xz. After the 3 I reverse the next three letters, after the 5 I reverse the next five letters, and at the 2 I reverse the last two. Also the first letter after the number is not in the actual password.

  • 29 Posted by mixpix45 on Thu Sep 3, 2009 7:22PM EDT Report Abuse

    I'm the help desk tech in our IT office, and everyone in IT has it set in active directory so our passwords never expire. The only actual reason I can think that we force our users to change their passwords so often is to comply with HIPPA privacy laws. Personally I think it is more dangerous changing it so often because half the people have their username and password taped to their monitors.

  • 30 Posted by benignheart on Thu Sep 3, 2009 3:05PM EDT Report Abuse

    I agree with you. I have done this stragety almost everyday while back, to get rid of someone keep using my id and use it to advertise business. It didn't work still the person able find out the new password. I realized its just like having a back door copy of all the master key and the person can still open anytime the id even if using different types of keys and its frustrating and I just never use my id anymore for a long time then someone stop posting to the club using my id. So far its peace I am sure that person having fun making other mesirable. Thank you for your articles about passwords.

  • 31 Posted by eviltwinpress on Thu Sep 3, 2009 3:56PM EDT Report Abuse

    Sometimes the only thing dumber than regularly having to change passwords is a manager. I had a manager once who required everyone to write down their passwords in an Excel file we all could access, in case any of us had to work at another person's station. She totally undermined the entire system because she dreaded the thought of having a worker doing nothing while his computer was down but other computers were unmanned. Who says we're smarter?

  • 32 Posted by krmccoy21 on Thu Sep 3, 2009 4:54PM EDT Report Abuse

    I had to change my password so many times at work I had to start writing it down. I actually have it written down on a note stuck to my computer so I don't forget. Kinda defeats the whole idea of security.

  • 33 Posted by dnbplus2 on Thu Sep 3, 2009 3:45PM EDT Report Abuse

    I work in the IT Dept. and we (including our Manager) hate having to change our passwords. BUT we work at a financial institution, where we have federal regulations and frequent audits to ensure we have strict password policy (as well as other security measures) that includes frequently changing our password. People who do write their passwords down, tend to find themselves not only fired but fined (not by us, but the auditors)!! Somethings even an IT department can not control!

  • 34 Posted by thezarrr on Thu Sep 3, 2009 10:06PM EDT Report Abuse

    This has to be the dumbest article I've read in quite awhile. Apparently this person has never had their ID stolen or bank account zeroed out by someone hacking into their Quicken\Microsoft Money accounts - ask those folks now how they feel about one password. Do a Google search and find the number of password cracking programs, free for download on the Internet. With software I currently have, I can crack a 4 digit password in less than 1 second for many popular software programs. If anything, you need to increase your password complexity, due to these cracking programs and hardware getting faster and faster. Idea is to change it in a shorter period of time than someone can crack your system. Go back to writing Home and Garden articles and stay out of technology areas you have no idea of what's going on. Security does not equal convenience, this is the problems with folks that are clueless about the damages that can happen to you with technology.

  • 35 Posted by hedbudders on Thu Sep 3, 2009 4:18PM EDT Report Abuse

    thezarr - Good comments. Here's a funny.... cable news this evening reminds viewers of recent hack on 1,000's of credit / debit cards due to computer system security breach at bank. Customers of Marshalls, TJMaxx, etc. got the screw. I'm sure the hack is a result of one of those silly IT password policies.

  • 36 Posted by thezarrr on Thu Sep 3, 2009 10:06PM EDT Report Abuse

    Thanks hedbudders! My follow up question to all these folks is this: Isn't your password, much like a key to your house, car, bank lock box,... Why doesn't everyone want to change all these locks to the same key! Why - because you loose that key, someone may have access to everything. I've heard a ton of folks say "No one wants the stuff on my computer" but you'd be suprised about what someone might find to use against you, use against a friend or use you as the bad guy in something their doing. They may decide to store content on your system that they don't want on theirs! I really don't blame folks above, it's want you truly don't know about computer security that can get you in a ton of trouble!

  • 37 Posted by gclum on Thu Sep 3, 2009 4:07PM EDT Report Abuse

    As an IT manager, I would say that you must change your passwords sometimes. If nothing else than for the fact that people do not always follow the rules and use the same passwords across various programs or websites. Many people use the same password for their yahoo account as their bank account or corproate account. So mandatory password changes at least help protect both the company's confidential information while also protecting the users identity. A ballanced approach is best for all. Look for new ways of authentication to solve this problem in the future but for now I will enforce a password change at my complany.

  • 38 Posted by bnives2 on Thu Sep 3, 2009 3:10PM EDT Report Abuse

    I will be reading more of this article on how to generate better passwords but there is one big thing I do not understand. On some of the logins I have for work I have a maximum of three times to get the user name and password correct. Some Monday mornings that maybe challenging. How can a Hacker get into a system generating thousands of possiblities to match a password that you only have three tries before the system will lock you out?

  • 39 Posted by adibeh@wans.net on Thu Sep 3, 2009 2:45PM EDT Report Abuse

    I DISAGREE with not periodically changing your pwd. Case in Point - Hackers sat on hundreds of Ameritrade and Scottrade, etc.. accts for long periods of time until they commanded large amounts of money in hundreds of trading accts. Then on one day the hackers went into these accts and sold all the stocks (went to cash). With the cash, they bought up one penny stock. With hundreds of thousands going into one penny stock, the penny stock took off like a jet. Legitimate investors saw this and got in on the action and it took off even more. Finally the hackers (in their legitimate trading acct.) sold all the penny stock making large sums of money before the penny stock dropped like a rock. Traders logged in and found they owned worthless penny stock. If traders had changed thier pwd regularly the hackers could not have pulled this off, why, because the hackers had to sit on the hacked pwds for long periods of time before they could command large amounts of money.

  • 40 Posted by mamashellyrx@sbcglobal.net on Thu Sep 3, 2009 7:04PM EDT Report Abuse

    I have 8 different systems at work each with a different password that is changed on a monthly basis, but not at the same time so nothing is synchronized. One of the systems will not allow the same character twice in a row. One of the systems makes me use 8 characters, no more no less. One of the systems won't let me in on it's password requirements, so I just have to type things I think I will remember, over and over again until it stops rejecting my new passwords and finally accepts something. One system requires 1 number and 1 special character. One system won't let me repeat one of the last 12 passwords, and another system won't let me repeat one of the last 18 passwords. I finally gave up and wrote them in the note section of a pocket calendar that I keep in my locked desk, one column for each system. That is too much information for my brain to recall every day at 6 am while setting up my computer for the day.

  • 41 Posted by kcserv_2000 on Thu Sep 3, 2009 4:48PM EDT Report Abuse

    This article is at the least irresponsible. The first assumption is based on companies employing Intrusion detection systems. They ought to be, but most aren't. Since 2005 over 100 million records containing personal info have been exposed (www.privacyights.org). A lot of these were from stolen laptops (no hard drive encryption?). Read some security surveys and you will find that a lot of companies only find out they have been hacked by accident. At 10 million tries per sec a 7 character alpha numeric case hardened password will be cracked in 4 days. Change that to 8 characters and it goes to 250 days. At what point do people take responsibilty for their actions and their data. Why don't you tape your MAC card pin number to your monitor? That would be because then it's about your personal info. And some info for bnives2, the way cracking works is to take the encrypted string of your password (the hash) and decrypt that string to plain text. The process works on the string not by actually trying to login.

  • 42 Posted by alexolivero on Thu Sep 3, 2009 2:50PM EDT Report Abuse

    I like this article, and I just use letters and numbers that were burned in my brain in the 6th grade. I don't think any hacker will figure it out.

  • 43 Posted by thejensenfour on Thu Sep 3, 2009 10:04PM EDT Report Abuse

    I have a very simple scrambled acronym for my pc password (no security risk). For things such as PayPal and my online banking, I use an obscure song name (a personal favorite that would be impossible to guess) and then substitute symbols, spell a word backward, and finish with a string of letters that I will remember, such as the 1st letters of each of the dogs I've owned. I end up with about 25 characters that would only be cracked by someone who should be playing the lottery. I've found too many people who save their passwords in an Excel or Word document. At least if you write them on your desk calendar or stick a post-it to your monitor, a hacker won't get it (your co-workers are another story).

  • 44 Posted by rhea_kten on Thu Sep 3, 2009 8:38PM EDT Report Abuse

    A co-worker at a previous job used the last phrase from each page of War & Peace as their constantly changing password. They substituted certain letters with numbers and/or symbols, to make it even more secure. Since this would give you a different result based on different editions of the novel, and since the novel is VERY large, she was nowhere near out of possibilities by the time I moved to my next job. :)

  • 45 Posted by canesbandtrp on Thu Sep 3, 2009 3:17PM EDT Report Abuse

    This is not only a problem for those who work. Even at schools people have to change passwords every so many weeks. We all wind up sharing accounts because everyone has to change passwords so many times that no one can remember.It is absolutely rediculous. I mean come on. schools block everything anyways and sharing accounts isn't going to make a difference.

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.