30 posts in 30 days #8: Passwords

First, there’s a new Common Craft making the rounds about secure passwords. Then yesterday I saw my friend Bobbi Newman’s blog post How to Create a Secure Password. I didn’t necessarily want to give everyone “the talk” about password as part of my 30×30 exercise but one suggestion of Bobbi’s set me off: change your passwords every six months. Sorry, but no.

Full disclosure: As a state employee I have to change my login password every 90 days. Given the choice I’d rather have to change it every six months but I still disagree with the concept.

I’ll keep this simple, having people change their passwords ends up causing either or both of the following problems:

  1. They choose a simpler password because they’re easier to remember since every time they change their password they have to remember a new one yet again.
  2. They end up cycling through a small number of passwords over and over again.

This has been known for decades. Check out this quote from UNIX System Readings and Applications, Volume II published in 1987:

“[password aging] only forces people to toggle back and forth between two passwords. This is not a great gain in security, especially if it encourages the use of less-than-ideal passwords.”

I agree with everything else Bobbi and Common Craft have to say about passwords. So let’s focus on convincing people that creating several/many good passwords is worth the time and effort and not make them worry about the fact that they’ll have to do it all over again in a few months.

Published by

Michael Sauers

Michael Sauers is currently the Technology Innovation Librarian for the Nebraska Library Commission in Lincoln, Nebraska and has been training librarians in technology for more than 15 years. He has also been a public library trustee, a bookstore manager for a library friends group, a reference librarian, serials cataloger, technology consultant, and bookseller. He earned his MLS in 1995 from the University at Albany’s School of Information Science and Policy. Michael’s twelfth book, Google Search Secrets (w/ Christa Burns) was published October 2013 and has two more books on the way. He has also written dozens of articles for various journals and magazines. In his spare time he blogs at travelinlibrarian.info, runs Web sites for authors and historical societies, takes many, many photos, and reads more than 100 books a year.

2 thoughts on “30 posts in 30 days #8: Passwords”

  1. Michael you’re right I do cycle through the same passwords over and over at work because we have to change them every 90 days. But I do change my personal ones every 6 months to something new and complex. I think it depends on your level of knowledge of security and general “techiness”. I imagine other techies change theirs frequently too.

  2. Yup, the state making me change my password every 90 days has been a waste of time – for them and for me . I’ve used only 3 or 4 different passwords in the 9 1/2 years I’ve been here. I’ve had the same password for my personal e-mail for…over 10 years? And it’s never been hacked using the password.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>