Posted on by

30 posts in 30 days #8: Passwords

First, there’s a new Common Craft making the rounds about secure passwords. Then yesterday I saw my friend Bobbi Newman’s blog post How to Create a Secure Password. I didn’t necessarily want to give everyone “the talk” about password as part of my 30×30 exercise but one suggestion of Bobbi’s set me off: change your passwords every six months. Sorry, but no.

Full disclosure: As a state employee I have to change my login password every 90 days. Given the choice I’d rather have to change it every six months but I still disagree with the concept.

I’ll keep this simple, having people change their passwords ends up causing either or both of the following problems:

  1. They choose a simpler password because they’re easier to remember since every time they change their password they have to remember a new one yet again.
  2. They end up cycling through a small number of passwords over and over again.

This has been known for decades. Check out this quote from UNIX System Readings and Applications, Volume II published in 1987:

“[password aging] only forces people to toggle back and forth between two passwords. This is not a great gain in security, especially if it encourages the use of less-than-ideal passwords.”

I agree with everything else Bobbi and Common Craft have to say about passwords. So let’s focus on convincing people that creating several/many good passwords is worth the time and effort and not make them worry about the fact that they’ll have to do it all over again in a few months.

Published by Michael Sauers

Michael Sauers is currently the Director of Technology for Do Space in Omaha, NE. Michael has been training librarians in technology for the past twenty years and has also been a public library trustee, a bookstore manager for a library friends group, a reference librarian, serials cataloger, technology consultant, and bookseller since earning his MLS in 1995 from the University at Albany’s School of Information Science and Policy. Michael has also written dozens of articles for various journals and magazines and his fourteenth book, Emerging Technologies: A Primer for Librarians (w/ Jennifer Koerber) was published in May 2015 and more books are on the way. In his spare time he blogs at travelinlibrarian.info, runs The Collector’s Guide to Dean Koontz Web site, takes many, many photos, and typically reads more than 100 books a year.

2 Replies to “30 posts in 30 days #8: Passwords”

  1. Michael you’re right I do cycle through the same passwords over and over at work because we have to change them every 90 days. But I do change my personal ones every 6 months to something new and complex. I think it depends on your level of knowledge of security and general “techiness”. I imagine other techies change theirs frequently too.

  2. Yup, the state making me change my password every 90 days has been a waste of time – for them and for me . I’ve used only 3 or 4 different passwords in the 9 1/2 years I’ve been here. I’ve had the same password for my personal e-mail for…over 10 years? And it’s never been hacked using the password.

Leave a Reply

Your email address will not be published. Required fields are marked *