Discussions

Ok, why change passwords on a schedule?

Tags:
+
0 Votes
Locked

Ok, why change passwords on a schedule?

AnsuGisalas
This came up recently (http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=331897&messageID=3306625&tag=content;leftCol), and left me unconvinced.
What is the point in forcing regular password changes?
Reasons, rationale, justifications... what are they?
  • +
    0 Votes
    NickNielsen Moderator

    I change mine because I'm forced to, and I do the same thing everybody else in that situation does: I work sequentially: password1, password2, password3, etc. I know that's not the intent, but I have to remember 9 passwords for work. I'll be darned if I'm going to make it hard on myself.

    +
    0 Votes
    AnsuGisalas

    If people can remember 9 passwords, they should preferably be 9 good passwords, for 9 different sites.

    +
    0 Votes
    NickNielsen Moderator

    People don't remember 9 different passwords, they remember just one, for 9 different sites.

    All 9 of mine are quite similar, but not identical. Again, I'm not going to make it any harder than it has to be.

    +
    0 Votes
    AnsuGisalas

    People have limited patience with security.
    Heck, I know that logging in as admin isn't safe for day to day stuff, but I still can't get used to not being able to do those three semi-rare things that require admin status without *gasp* changing users for half an hour.
    But focusing on a few meaningful measures and hammering them in loud enough, people could learn to use at least different security levels of passwords. To have f.ex. one unique for banking, one unique for official crap, one for low-security activities and one for potential risk activities. That falls within the 3+2 range of different things people can remember, and it makes a big difference both over low-difficulty passwords and over having the same passwords for critical and risky/lowsec activities.

    +
    0 Votes
    NickNielsen Moderator

    My passwords are all based on a strong phrase that includes case changes, numbers, and special characters and gets a 71% from <a href="http://www.passwordmeter.com/">Password Meter</a>. All the passwords based on that phrase (except two) score 90% or better. The two exceptions do not allow me to use the entire phrase because they are limited to 8 alphanumeric characters, but they are only valid inside a physically secured area.

    +
    0 Votes
    .Martin.

    If someone is trying to get into your computer without you knowledge, it is harder if the password is changing, i.e., every time the password changes, they essentially have to start again.

    If someone knows your password, and is using your account without your permission, if you change the password, they are locked out.

    +
    0 Votes
    AnsuGisalas

    The bad guys spend their resources wisely, why spend time cracking "1kz3hARjeeEa" when they can crack 10^6 instances of "admin" in the same time?

  • +
    0 Votes
    NickNielsen Moderator

    I change mine because I'm forced to, and I do the same thing everybody else in that situation does: I work sequentially: password1, password2, password3, etc. I know that's not the intent, but I have to remember 9 passwords for work. I'll be darned if I'm going to make it hard on myself.

    +
    0 Votes
    AnsuGisalas

    If people can remember 9 passwords, they should preferably be 9 good passwords, for 9 different sites.

    +
    0 Votes
    NickNielsen Moderator

    People don't remember 9 different passwords, they remember just one, for 9 different sites.

    All 9 of mine are quite similar, but not identical. Again, I'm not going to make it any harder than it has to be.

    +
    0 Votes
    AnsuGisalas

    People have limited patience with security.
    Heck, I know that logging in as admin isn't safe for day to day stuff, but I still can't get used to not being able to do those three semi-rare things that require admin status without *gasp* changing users for half an hour.
    But focusing on a few meaningful measures and hammering them in loud enough, people could learn to use at least different security levels of passwords. To have f.ex. one unique for banking, one unique for official crap, one for low-security activities and one for potential risk activities. That falls within the 3+2 range of different things people can remember, and it makes a big difference both over low-difficulty passwords and over having the same passwords for critical and risky/lowsec activities.

    +
    0 Votes
    NickNielsen Moderator

    My passwords are all based on a strong phrase that includes case changes, numbers, and special characters and gets a 71% from <a href="http://www.passwordmeter.com/">Password Meter</a>. All the passwords based on that phrase (except two) score 90% or better. The two exceptions do not allow me to use the entire phrase because they are limited to 8 alphanumeric characters, but they are only valid inside a physically secured area.

    +
    0 Votes
    .Martin.

    If someone is trying to get into your computer without you knowledge, it is harder if the password is changing, i.e., every time the password changes, they essentially have to start again.

    If someone knows your password, and is using your account without your permission, if you change the password, they are locked out.

    +
    0 Votes
    AnsuGisalas

    The bad guys spend their resources wisely, why spend time cracking "1kz3hARjeeEa" when they can crack 10^6 instances of "admin" in the same time?