Q

Not changing passwords on regular basis

At a recent company security meeting the topic of passwords and renewal came up. The risk management group commented the recent trend now is to not have end users renew their passwords on a regular basis. They said system accounts and system administrator levels should continue but not the average user. I thought their philosophy was strange since users sharing their password is always a problem. Also, as we move towards single sign-on, I thought this was an unusual move in today's security-aware climate. Risk management's argument was if you make one password hard enough, there is no reason to change it regularly.
I'm seeing more of this trend and actually like this "new" way of thinking about passwords. We've all bought into the "minimum eight character passwords that must be changed every 30 days" mumbo jumbo. Based on my experiences as a consultant, security can remain strong if users are trained (this is key) on six to 12 months. We all know it's human nature to write down (and negate the benefit of) complex passwords that have no personal meaning, especially if they have to be changed often. I'm a huge believer in balancing security with convenience because if it's not, no one but the hacker wins. Keep in mind that this is an ideal scenario. If you suspect a password is vulnerable due to someone sharing a password, transmitting it via cleartext e-mail, storing it on their unprotected hard drive, etc., then those passwords may need to be changed more often.
For more info on this topic, please visit these SearchSecurity.com resources:
  • Security Policies Tip: Password policy worst practices
  • Best Web Links: Password cracking
  • This was first published in February 2004

    Dig deeper on Password Management and Policy

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close