30 posts in 30 days #8: Passwords

First, there’s a new Common Craft making the rounds about secure passwords. Then yesterday I saw my friend Bobbi Newman’s blog post How to Create a Secure Password. I didn’t necessarily want to give everyone “the talk” about password as part of my 30×30 exercise but one suggestion of Bobbi’s set me off: change your passwords every six months. Sorry, but no.

Full disclosure: As a state employee I have to change my login password every 90 days. Given the choice I’d rather have to change it every six months but I still disagree with the concept.

I’ll keep this simple, having people change their passwords ends up causing either or both of the following problems:

  1. They choose a simpler password because they’re easier to remember since every time they change their password they have to remember a new one yet again.
  2. They end up cycling through a small number of passwords over and over again.

This has been known for decades. Check out this quote from UNIX System Readings and Applications, Volume II published in 1987:

“[password aging] only forces people to toggle back and forth between two passwords. This is not a great gain in security, especially if it encourages the use of less-than-ideal passwords.”

I agree with everything else Bobbi and Common Craft have to say about passwords. So let’s focus on convincing people that creating several/many good passwords is worth the time and effort and not make them worry about the fact that they’ll have to do it all over again in a few months.

2 Replies to “30 posts in 30 days #8: Passwords”

  1. Michael you’re right I do cycle through the same passwords over and over at work because we have to change them every 90 days. But I do change my personal ones every 6 months to something new and complex. I think it depends on your level of knowledge of security and general “techiness”. I imagine other techies change theirs frequently too.

  2. Yup, the state making me change my password every 90 days has been a waste of time – for them and for me . I’ve used only 3 or 4 different passwords in the 9 1/2 years I’ve been here. I’ve had the same password for my personal e-mail for…over 10 years? And it’s never been hacked using the password.

Leave a Reply

Your email address will not be published. Required fields are marked *