Frequent Password Change Policy: A Bad Idea
Fri Apr 28, 2006 11:26AM EDT
See Comments (48)
Many of you in heavy-duty corporate environments have to deal with one of my biggest pet peeves in all of technology: Changing your password on a quarterly, monthly, or more frequent basis.
CERIAS and tech security expert Eugene H. Spafford offers a biting and insightful essay on why this kind of policy is not only a useless idea, but a potentially dangerous one, too. It's a "best practice" that generated 30 years ago when some network administrator thought it would be a good idea. (That idea: That if someone already had access, if you changed your password, he wouldn't have it for long.) Well today's intrusion detection methods are much better, and the odds of someone having illegal access for a long period of time without being discovered are considerably lower. The "frequent change" policy is out of date.
But the policy stuck back then, and now we're stuck with it, despite there being no scientific basis that it actually increases security. (In fact, it's almost definitely harmful since people use a series of passwords that are actually easier to guess. Many people forced to suffer through this ridiculous policy simply use a series of simple passwords with a number on the end that increments every time they're forced to make a change: strawberry01, strawberry02, and so on.)
If you're fed up with constantly changing, and then forgetting, your password, print out this article (or forward a link), and hand it to your IT manager or whoever's in charge of your network. Just say no to overly frequent password changes!
Top 5 Posts
More About Miscellaneous
Comments on Frequent Password Change Policy: A Bad Idea
Post a Comment
Join in the discussion. Here you'll see the comments in the order they were posted.
-
47 Posted by williemaemartin on Thu Sep 3, 2009 10:47PM EDT Report Abuse
I would like to see about changing my email address as I am receiving at least 175 junk mail and thought maybe I present email address is too easy for everyone trying to sell me everything How do I go about it? williemaemartin@yahoo.com
-
48 Posted by roby2216 on Thu Sep 3, 2009 8:46PM EDT Report Abuse
i completely agree with canesbandtrp. At my school (9th grade) we have to change the password to our computer every month with all kinds of restrictions on how many letters numbers uppercase etc. there must be, also it cant be similar to last 12 months or similar to username or anything. this is so that "no one tries to plaguerize our work"...? first of all, wouldnt we notice if someone handed in the exact same work as us and also the passwords get to be so confusing that we just write it on a piece of paper and tape to bottom of keyboard (since we get in trouble if teacher sees it on screen) or all use the same password. ugh it is so pointless i dont see what is so bad about having 1 secure password forever or at least a year. who would want to hack into a random school computer anyway?
Sponsored Links
My Tech
Please enable your browser's cookies to activate the My Tech column.
Also on Yahoo! Tech
| Computers | Home Office | Wi-Fi & Networking | Phones & PDAs | Cameras & Camcorders | TV & Home Theater | Portable Audio |
|---|---|---|---|---|---|---|
46 Posted by hi_dex on Thu Sep 3, 2009 4:19PM EDT Report Abuse
I have been using the same password scheme at my various job sites for 20 years now. It's the same three letters, plus the 2-digit year and the 3-letter month. (like hjp07May) I change them all every month at the same time, so all I have to remember is what month it is, and I'm fine! Works because it isn't a real word, has numbers, and an upper case letter, and is never the same from month to month. Just don't use any letters that someone can guess, and you'll probably be OK.