Not changing passwords on regular basis

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

At a recent company security meeting the topic of passwords and renewal came up. The risk management group commented the recent trend now is to not have end users renew their passwords on a regular basis. They said system accounts and system administrator levels should continue but not the average user. I thought their philosophy was strange since users sharing their password is always a problem. Also, as we move towards single sign-on, I thought this was an unusual move in today's security-aware climate. Risk management's argument was if you make one password hard enough, there is no reason to change it regularly.
I'm seeing more of this trend and actually like this "new" way of thinking about passwords. We've all bought into the "minimum eight character passwords that must be changed every 30 days" mumbo jumbo. Based on my experiences as a consultant, security can remain strong if users are trained (this is key) on six to 12 months. We all know it's human nature to write down (and negate the benefit of) complex passwords that have no personal meaning, especially if they have to be changed often. I'm a huge believer in balancing security with convenience because if it's not, no one but the hacker wins. Keep in mind that this is an ideal scenario. If you suspect a password is vulnerable due to someone sharing a password, transmitting it via cleartext e-mail, storing it on their unprotected hard drive, etc., then those passwords may need to be changed more often.

For more info on this topic, please visit these SearchSecurity.com resources:

Security Policies Tip: Password policy worst practices

Best Web Links: Password cracking

This was last published in February 2004

Dig Deeper on Password management and policy

All
News
Get Started
Evaluate
Manage
Problem Solve

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

Related Resources

Dig Deeper on Password management and policy

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.