This is a read-only archive!

Password changing policies

I don't understand having a policy which requires people to change their password every couple months. We have that kind of policy at work and I don't quite get the reasoning behind it.

If someone guesses your password, changing it isn't going to defeat them. The damage is already done. If someone is trying to guess your password, again changing it doesn't necessarily help. Imagine someone doing a dictionary-based attack and trying a million passwords one after another. If you change your password to something they already guessed, then they will finish their attack unsuccessfully and will have to start all over, which is good. However if you change it to something they haven't guessed, they may actually end up guessing your password sooner than they would have, depending on where in the remaining list of passwords you jump to. Worst case scenario is they still guess it, but it takes a bit more time. And what are the chances of changing your password right in the middle of being attacked in this way? This is so stupid that I don't think it's an actual justification, but it's the first thing that came to mind.

There's an argument to be made that accounts should "expire" after a certain amount of time, and forcing you to change your password every couple months prevents old, still-active but unused accounts from accumulating. If an old inactive account is compromised, a malicious user could possibly use the account for an extended period of time without anyone noticing (since no authorized user is using the account on a regular basis). This is my best guess as to the rationale for this policy. But it seems to me that this policy could be implemented just as easily by checking the date an account was last logged on. If I use my account every single day (which I do) I shouldn't have to change my password for this reason.

In practice, forcing people to change their passwords all the time ends up being counter-productive, in my opinion. People can't remember one password, let alone multiple passwords due to changes over time. So everyone thinks of a password, slaps a number on the end, and rotates the password by changing the number. Or something similar. At the very least, I think an argument can be made that the more often you have to think of a password, the less likely you are to think of a GOOD password. If it's a hassle to constantly change it (which I think it is), people will pick short, easy passwords, which is bad. Either that, or people will resort to the infamous "sticky note on the monitor" trick.

I pretty much never change my password on my home computer, unless I do something stupid and think I may have compromised myself. Maybe this is dumb, but I can't see a need for it.

December 19, 2006 @ 3:37 AM PST
Cateogory: Rants

1 Comment

Quoth Hussam on December 30, 2006 @ 8:22 PM PST

Haven't had an update from you in a while so I thought I'd post here about the new design. I notice your cow has a new calendar to the left with flagged days for a blog entry. I thought that was neat because I volunteered for a ridiculously out of reach project to create a website using php. This would be my first website ever (not to mention I never touched php in my life) and so I was looking around for ideas and thought it'd be neat to have a calendar like that for indicating on what days an order had been placed.

So I gave up after I could not figure out how Keith Deven's code worked to produce a great looking calendar. (I made it a rule if I didn't get the code I wouldn't try to use it). Looking at yours now I feel I should give it another go. Oh and since this isn't my blog I'll stop rambling. Happy holidays.

(Did I mention I think the calendar is new. It might have been there long ago but I was too distracted by the cow and how cowish it looked?)