First, there’s a new Common Craft making the rounds about secure passwords. Then yesterday I saw my friend Bobbi Newman’s blog post How to Create a Secure Password. I didn’t necessarily want to give everyone “the talk” about password as part of my 30×30 exercise but one suggestion of Bobbi’s set me off: change your passwords every six months. Sorry, but no.
Full disclosure: As a state employee I have to change my login password every 90 days. Given the choice I’d rather have to change it every six months but I still disagree with the concept.
I’ll keep this simple, having people change their passwords ends up causing either or both of the following problems:
- They choose a simpler password because they’re easier to remember since every time they change their password they have to remember a new one yet again.
- They end up cycling through a small number of passwords over and over again.
This has been known for decades. Check out this quote from UNIX System Readings and Applications, Volume II published in 1987:
“[password aging] only forces people to toggle back and forth between two passwords. This is not a great gain in security, especially if it encourages the use of less-than-ideal passwords.”
I agree with everything else Bobbi and Common Craft have to say about passwords. So let’s focus on convincing people that creating several/many good passwords is worth the time and effort and not make them worry about the fact that they’ll have to do it all over again in a few months.
Michael you’re right I do cycle through the same passwords over and over at work because we have to change them every 90 days. But I do change my personal ones every 6 months to something new and complex. I think it depends on your level of knowledge of security and general “techiness”. I imagine other techies change theirs frequently too.
Yup, the state making me change my password every 90 days has been a waste of time – for them and for me . I’ve used only 3 or 4 different passwords in the 9 1/2 years I’ve been here. I’ve had the same password for my personal e-mail for…over 10 years? And it’s never been hacked using the password.