Frequent Password Change Policy: A Bad Idea

Fri Apr 28, 2006 11:26AM EDT

See Comments (48)

Many of you in heavy-duty corporate environments have to deal with one of my biggest pet peeves in all of technology: Changing your password on a quarterly, monthly, or more frequent basis.

CERIAS and tech security expert Eugene H. Spafford offers a biting and insightful essay on why this kind of policy is not only a useless idea, but a potentially dangerous one, too. It's a "best practice" that generated 30 years ago when some network administrator thought it would be a good idea. (That idea: That if someone already had access, if you changed your password, he wouldn't have it for long.) Well today's intrusion detection methods are much better, and the odds of someone having illegal access for a long period of time without being discovered are considerably lower. The "frequent change" policy is out of date.

But the policy stuck back then, and now we're stuck with it, despite there being no scientific basis that it actually increases security. (In fact, it's almost definitely harmful since people use a series of passwords that are actually easier to guess. Many people forced to suffer through this ridiculous policy simply use a series of simple passwords with a number on the end that increments every time they're forced to make a change: strawberry01, strawberry02, and so on.)

If you're fed up with constantly changing, and then forgetting, your password, print out this article (or forward a link), and hand it to your IT manager or whoever's in charge of your network. Just say no to overly frequent password changes!

Comments on Frequent Password Change Policy: A Bad Idea

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 6 Posted by brsherrill on Thu Sep 3, 2009 3:14PM EDT Report Abuse

    When selecting my password I typed a string of garbage then commited it to memory. Is this any safer than say using my daughters middle name and her birth year?

  • 7 Posted by arthurguinness.geo on Thu Sep 3, 2009 2:58PM EDT Report Abuse

    In order to make our office computers more secure, we have been burdened with a few dozen different passwords and each has different requirements. Some must contain at least x numerical digits, some cannot use the same character more than twice, some cannot be too similar to any of the last 12 passwords used, most must be at least x characters long... And they force us to change them on different schedules. It is impossible to commit them to memory, so I gave up and started writing them down on a large piece of paper, taped to the cube wall above my monitor, so that I will not lose it.

  • 8 Posted by aitorbk on Thu Sep 3, 2009 2:48PM EDT Report Abuse

    I must remember more than a dozen passwords that change at least each month for each client that I work to. An then my personal passwords. So I take the simple way: complex passwords written down no my encrypted pc and to my pda. If someone hacks my pc they will get them on a nice excel file with the ips users and passwords.. and the owner of the machines...

  • 9 Posted by afinepoint4u on Thu Sep 3, 2009 2:46PM EDT Report Abuse

    I agree with the article. At my work place I can think of six passwords off the top of my head that I have to remember. The passwords change at different frequencies so synchronization is impossible. Most people just write them down somewhere and dig them up as needed. Keeping the password simple by just adding a 01,02 etc is the only way to even hope of remembering. I took three weeks off over Christmas. Upon returning two passwords had expired and I have forgotten one or two others. This is added job security for company IT. Why else isn't the department supervisors given rights to reset their groups passwords? Of the fifteen years I have worked there only my DOS password has not changed. Go DOS!

  • 10 Posted by rschaet on Thu Sep 3, 2009 8:53PM EDT Report Abuse

    You ought to send this article to the Department of Defense.

  • 11 Posted by adamcauble on Thu Sep 3, 2009 2:45PM EDT Report Abuse

    "....and hand it [this article] to your IT manager." Hah! Maybe it's just the companies I've worked for, but I have yet to see an IT manager open to suggestions and new ideas outside of their own! I swear, some IT managers are so stubborn that they're about as bad as George W. Bush when it comes to others' suggestions on how to do things better and/or differently. However, this article was extremely educational!

  • 12 Posted by cxdomains on Thu Sep 3, 2009 3:33PM EDT Report Abuse

    It's a well-written article! Although a good idea at the time, I disagreed with having to renew my password every quarter at one multinational corporation with a Network Neighborhood several screens in depth. This despite the fact that passwords required at least a specific amount of numerals and password length to be valid. Their network still had a huge no-no which caused controversy when someone figured it out. An email address which autoforwarded to EVERYONE in the entire corporation. To say having that caused thousands in lost productivity on one short-tempered day is putting it mildly. I disagree with one poster on a more sinister and nefarious level. Alcohol does a wonderful job of unlocking one's "inner password" as it often reduces one's inhibitions. The TV dating show Elimidate(tm) had one chick who summed it quite eloquently: "It's a great truth serum!"

  • 13 Posted by tuskegeebrat on Thu Sep 3, 2009 10:25PM EDT Report Abuse

    I agree. Most people let their passwords expire along with the grace logins, hoping to annoy the administrator enough so he or she will set their password to "no expire" anyway. And who cares if a hacker is in the parking lot, or the building, with a laptop sniffing out passwords? Most of us are too boring for a hacker to be bothered with. I'm a network technician. A manager at one of our divisions told me to change 52 passwords at his site because his employees with internet access had shared passwords with those employees who didn't have access. I asked him what he thought would happen after I changed all 52 passwords? Didn't he think they would just share the new passwords?

  • 14 Posted by powellsmedley on Thu Sep 3, 2009 8:17PM EDT Report Abuse

    The company I work for makes us change our passwords once every three months but I can't say the same for "easy passwords" its actually painful! I've seen many stressing it including myself, we can't choose any word that is are actual word's(which means no words in the dictionary will work),number patterns or names and numbers have to be added to boot! First imagine trying to think something up something then try and remember it. I do work for a fortune 500 company so I guess it's good in the long run.

  • 15 Posted by skipgeel on Thu Sep 3, 2009 9:26PM EDT Report Abuse

    Exactly right! Insightful and completely accurate!

  • 16 Posted by lcloutier77 on Thu Sep 3, 2009 4:58PM EDT Report Abuse

    I also hav at least a dozen passwords to remember and they all have different security requirements. We have to change some of them frequently and others not at all. Most people end up writing them down or putting them in a file that pops up as soon as you log in to their workstations (so they only have to remember the workstation login). It totally defeats the purpose of changing the passwords!!

  • 17 Posted by tortuga65 on Thu Sep 3, 2009 10:18PM EDT Report Abuse

    How about the brilliant idea someone in IT had to start asking you 15 days before your password expires if you want to go ahead and change it now? So the 30 day password is really a 15 day password if you don't want to answer an extra prompt every morning when you login. What's the point? Just make me make up a new one on the day it expires.

  • 18 Posted by ringo_pup on Thu Sep 3, 2009 8:42PM EDT Report Abuse

    Years ago, I had a very nosey girlfriend. I started the habit of writing the last 4 digits of phone numbers in reverse order. Of course, that was before cell phones and caller id. The same habit still holds when I write down passwords.

  • 19 Posted by smitee62 on Thu Sep 3, 2009 9:28PM EDT Report Abuse

    We at the post office salute you.

  • 21 Posted by dornaebanks on Thu Sep 3, 2009 3:47PM EDT Report Abuse

    I am convinced that this information on passwords is gonna be of so much help to me ,and definetly an eyeopener...

  • 22 Posted by jflagg1 on Thu Sep 3, 2009 4:34PM EDT Report Abuse

    tomw0605: errr, I think I just burned one of my 4 geek-points trying to understand your comment..... selune13: *snorfle* thought I was the only one did that, 'cept I use DDMMM.YYYY

  • 23 Posted by kingworld101 on Thu Sep 3, 2009 4:51PM EDT Report Abuse

    Just so everyone knows I hate peoplesoft passwords.

  • 24 Posted by wpdurden on Thu Sep 3, 2009 10:49PM EDT Report Abuse

    The policy almost certainly causes people to commit every other "don't do" acts like writing it down under the keyboard or where ever. I've found a program called RoboForm that generates and saves passwords for you. The passwords themselves can be protected by a master password, that you do have to remember. Of course, it will not help with login to a network because it works from the browser. It also doesn't work for Outlook, at least yet. It also allows you save identities with addresses, bank and credit card account information, phone numbers, etc. This is very useful when ordering online for personal or work. And now the answer to the obvious question. No, I don't work for Roboform or own stock, I'm just a user that purchased the product.

  • 25 Posted by windbiter on Thu Sep 3, 2009 10:47PM EDT Report Abuse

    I have worked in IT for over 20 years. (Gosh how time flies when you are bored.) I have never seen a need to force people to change passwords. The worse is when you have to come up with nonsense passwords. I write them down at that point, what choice would anyone have? The problem is you can't get away with not setting the policy to force changes. Either some top honcho got it stuck in his/her head years ago or your company is constrained by some auditor like SOX. And while the auditors may agree with you, they have as little choice as you do. Suggestions - $uper1! 45Ch3vy 19F0rd69 and so on. Easy to hack? Yeah, well, as the article says, any hacking program can get into any system given enough time. At least if they easy enough to remember, they aren't written down and at least HR won't be able to snoop on your hard drive.

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.