First, there’s a new Common Craft making the rounds about secure passwords. Then yesterday I saw my friend Bobbi Newman’s blog post How to Create a Secure Password. I didn’t necessarily want to give everyone “the talk” about password as part of my 30×30 exercise but one suggestion of Bobbi’s set me off: change your passwords every six months. Sorry, but no.
Full disclosure: As a state employee I have to change my login password every 90 days. Given the choice I’d rather have to change it every six months but I still disagree with the concept.
I’ll keep this simple, having people change their passwords ends up causing either or both of the following problems:
- They choose a simpler password because they’re easier to remember since every time they change their password they have to remember a new one yet again.
- They end up cycling through a small number of passwords over and over again.
This has been known for decades. Check out this quote from UNIX System Readings and Applications, Volume II published in 1987:
“[password aging] only forces people to toggle back and forth between two passwords. This is not a great gain in security, especially if it encourages the use of less-than-ideal passwords.”
I agree with everything else Bobbi and Common Craft have to say about passwords. So let’s focus on convincing people that creating several/many good passwords is worth the time and effort and not make them worry about the fact that they’ll have to do it all over again in a few months.