Let’s Stop the Password Madness
The potential harm from someone hacking one of your accounts is real. People and organizations should take security seriously. That said, I think some of the “experts” advising people about security are going too far.
All the systems I interact with—client systems, commercial systems, government systems—want a unique user ID and password to authenticate me. Each has slightly different rules for password formation—it must include a number, a special character (but not some special characters), and a capital letter, and be longer than your belt but shorter than your height, and . . . . I get it; some muggles don’t understand how to create “hard” passwords.
What frosts me is the additional requirement that I change passwords regularly. Much like the “security measure” of asking people to verbally confirm that they aren’t carrying a bomb onto an airplane (number of attacks thwarted = zero), frequent password changes give the appearance of more robust security without actually affecting anything. Let’s unpack this requirement.
If I share passwords with others, regularly changing the password assures that if that person stops being trusted, his access is eventually denied. This is a valid reason for change (although not sharing passwords seems like a much more robust strategy). Otherwise, changing passwords likely increases the risk a password will become compromised. If I have to manage fifty strong passwords, I will either write them down (clearly a bad idea) or begin using patterns of similar passwords among different accounts (also a bad idea).
Changing passwords doesn’t thwart a devoted hacker. Let’s imagine I’m holding the nuclear launch codes and some spy is systematically trying to run a dictionary attack on all possible permutations of the valid characters that might comprise my passwords. Changing the password doesn’t prevent that. It seems just as likely that the new password would be nearer where our spy was in his search as in the pile of previously tried passwords. Furthermore, if the spy knows that I change passwords every thirty days, then he knows to reuse previously tried combinations.
All we have accomplished by requiring periodic changes is to make it more productive for the spy to look at scraps of paper around my office (or under my mouse pad), or in my contact database where I recorded the password (what, you thought you were the only one?), or for password patterns in my other accounts that have been hacked and published on the web.
Can we please take a breath, teach people how to build strong passwords, and stop with the regular changes already?
The state site where I pay my corporate taxes has a rule that passwords must be changed once per year. It also gets concerned and offers challenge questions if you log in from a different computer in 2015 than you did when you paid your taxes in 2014. Really? I’ll bet General Motors never logs in from a different computer one year to the next, and they probably feel safer knowing that the security professionals are on the job to detect any possible breach.