Ask the Expert

Not changing passwords on regular basis

At a recent company security meeting the topic of passwords and renewal came up. The risk management group commented the recent trend now is to not have end users renew their passwords on a regular basis. They said system accounts and system administrator levels should continue but not the average user. I thought their philosophy was strange since users sharing their password is always a problem. Also, as we move towards single sign-on, I thought this was an unusual move in today's security-aware climate. Risk management's argument was if you make one password hard enough, there is no reason to change it regularly.

    Requires Free Membership to View

I'm seeing more of this trend and actually like this "new" way of thinking about passwords. We've all bought into the "minimum eight character passwords that must be changed every 30 days" mumbo jumbo. Based on my experiences as a consultant, security can remain strong if users are trained (this is key) on six to 12 months. We all know it's human nature to write down (and negate the benefit of) complex passwords that have no personal meaning, especially if they have to be changed often. I'm a huge believer in balancing security with convenience because if it's not, no one but the hacker wins. Keep in mind that this is an ideal scenario. If you suspect a password is vulnerable due to someone sharing a password, transmitting it via cleartext e-mail, storing it on their unprotected hard drive, etc., then those passwords may need to be changed more often.
For more info on this topic, please visit these resources:
  • Security Policies Tip: Password policy worst practices
  • Best Web Links: Password cracking

    This was first published in February 2004

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: