Not changing passwords on regular basis
At a recent company security meeting the topic of passwords and renewal came up. The risk management group commented the recent trend now is to not have end users renew their passwords on a regular basis. They said system accounts and system administrator levels should continue but not the average user. I thought their philosophy was strange since users sharing their password is always a problem. Also, as we move towards single sign-on, I thought this was an unusual move in today's security-aware climate. Risk management's argument was if you make one password hard enough, there is no reason to change it regularly.
I'm seeing more of this trend and actually like this "new" way of thinking about passwords. We've all bought into the "minimum eight character passwords that must be changed every 30 days" mumbo jumbo. Based on my experiences as a consultant, security can remain strong if users are trained (this is key) on six to 12 months. We all know it's human nature to write down (and negate the benefit of) complex passwords that have no personal meaning, especially if they have to be changed often. I'm a huge believer in balancing security with convenience because if it's not, no one but the hacker wins. Keep in mind that this is an ideal scenario. If you suspect a password is vulnerable due to someone sharing a password, transmitting it via cleartext e-mail, storing it on their unprotected hard drive, etc., then those passwords may need to be changed more often.
For more info on this topic, please visit these SearchSecurity.com resources:
Security Policies Tip: Password policy worst practices
Best Web Links: Password cracking
This was first published in February 2004