Frequent Password Change Policy: A Bad Idea

Fri Apr 28, 2006 11:26AM EDT

See Comments (48)

Many of you in heavy-duty corporate environments have to deal with one of my biggest pet peeves in all of technology: Changing your password on a quarterly, monthly, or more frequent basis.

CERIAS and tech security expert Eugene H. Spafford offers a biting and insightful essay on why this kind of policy is not only a useless idea, but a potentially dangerous one, too. It's a "best practice" that generated 30 years ago when some network administrator thought it would be a good idea. (That idea: That if someone already had access, if you changed your password, he wouldn't have it for long.) Well today's intrusion detection methods are much better, and the odds of someone having illegal access for a long period of time without being discovered are considerably lower. The "frequent change" policy is out of date.

But the policy stuck back then, and now we're stuck with it, despite there being no scientific basis that it actually increases security. (In fact, it's almost definitely harmful since people use a series of passwords that are actually easier to guess. Many people forced to suffer through this ridiculous policy simply use a series of simple passwords with a number on the end that increments every time they're forced to make a change: strawberry01, strawberry02, and so on.)

If you're fed up with constantly changing, and then forgetting, your password, print out this article (or forward a link), and hand it to your IT manager or whoever's in charge of your network. Just say no to overly frequent password changes!

Comments on Frequent Password Change Policy: A Bad Idea

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 1 Posted by seamusfurr on Thu Sep 3, 2009 9:10PM EDT Report Abuse

    Well put. In my workplace, I have four different passwords, all with different requirements. Since it would defeat the purpose to write them down, I just have to have them reset every month or so when I get locked out. This is not security.

  • 2 Posted by tomw0605 on Thu Sep 3, 2009 10:16PM EDT Report Abuse

    I agree with the article and would support not having to change them as often. The only real advantage I see these days is that it still forces programmers not to hardcode passwords into an app. From the human perspective unfortunately it is not always a company's choice whether they want to comply with this policy or not. There are complience standards such as SOX and PCI among others that companies must comply with or be shutdown. Often time policies are formed and instituted on the perception of benefit and not on real world application or experience. I administer firewalls daily and I think that asking a customer for each of the networks that will need access into our systems and then setting up inbound ACLs on the outside interface for those source AND destination networks/host and specific application ports is the most secure method for allowing them access (whether I NAT on the inside interface or not is irrelevent). However our security department opposes any changes that have more than a few addresses in them. Saying that giving access to multiple class C segments opens us up to 100's or 1000's of potential points of attack. They insist I force the customer to NAT all of their traffic to a single or at most a few addresses. I have argued till I am blue in the face that this is less secure in that we loss ALL visibility into what is happening. We no longer have any record of the original source address or of the volume of data accessed by any single source address. Plus, in my scenario if you have a client with 100 users that need www access to a server you host and a 100 users that need DB access to a server you host, you can limit each group to only the server they need access to. If you force the client to NAT all traffic then you no longer have that control. You have to let the single address get to both servers. Granted that even in my prefered way the client could hide an unauthorized segment(s) behind an authorized IP but in that instance you would still see an unusual volume of traffic from an individual host. However, security's stance is that one paper it looks better and meets PCI requirements if we limits to access to a few IPs as possible.

  • 3 Posted by midullaben on Sun Jan 21, 2007 5:49AM EST Report Abuse

    Perhaps it would be better to not have a computer to protect what you do not want others to know. There is no password to unlock what is in the most powerful computer of all, our brain.

  • 4 Posted by gardevoir_lv100 on Thu Sep 3, 2009 4:06PM EDT Report Abuse

    Reverse psychology: Who's going to guess something like "000" or " " (a space) as a password? Hackers are excluded because they have no life.

  • 5 Posted by selune13 on Thu Sep 3, 2009 9:12PM EDT Report Abuse

    Amen!! I had one at my old work that insisted we change every month. I always just made the password the MMMMYYYY. I mean, who's going to come up with complex passwords every month.

  • 6 Posted by brsherrill on Thu Sep 3, 2009 3:14PM EDT Report Abuse

    When selecting my password I typed a string of garbage then commited it to memory. Is this any safer than say using my daughters middle name and her birth year?

  • 7 Posted by arthurguinness.geo on Thu Sep 3, 2009 2:58PM EDT Report Abuse

    In order to make our office computers more secure, we have been burdened with a few dozen different passwords and each has different requirements. Some must contain at least x numerical digits, some cannot use the same character more than twice, some cannot be too similar to any of the last 12 passwords used, most must be at least x characters long... And they force us to change them on different schedules. It is impossible to commit them to memory, so I gave up and started writing them down on a large piece of paper, taped to the cube wall above my monitor, so that I will not lose it.

  • 8 Posted by aitorbk on Thu Sep 3, 2009 2:48PM EDT Report Abuse

    I must remember more than a dozen passwords that change at least each month for each client that I work to. An then my personal passwords. So I take the simple way: complex passwords written down no my encrypted pc and to my pda. If someone hacks my pc they will get them on a nice excel file with the ips users and passwords.. and the owner of the machines...

  • 9 Posted by afinepoint4u on Thu Sep 3, 2009 2:46PM EDT Report Abuse

    I agree with the article. At my work place I can think of six passwords off the top of my head that I have to remember. The passwords change at different frequencies so synchronization is impossible. Most people just write them down somewhere and dig them up as needed. Keeping the password simple by just adding a 01,02 etc is the only way to even hope of remembering. I took three weeks off over Christmas. Upon returning two passwords had expired and I have forgotten one or two others. This is added job security for company IT. Why else isn't the department supervisors given rights to reset their groups passwords? Of the fifteen years I have worked there only my DOS password has not changed. Go DOS!

  • 10 Posted by rschaet on Thu Sep 3, 2009 8:53PM EDT Report Abuse

    You ought to send this article to the Department of Defense.

More Posts: First Prev 1 2 3 4 Next Last

Post a Comment

Sign In to Post a Comment