I’ve study the issue and read all the reports, and I am just not convinced that frequent changes of passwords improve security.
To all the security pros out there. Convince me that I am wrong.
The current mantra about passwords goes somethinglike this:
– make them difficult.
– use a unique password for every application, ie. don’t use the same password on two or more systems.
– change them frequently.
– don’t reuse passwords.
Taking into account my yahoo, hotmail, a dozen shopping sites, techrepublic, 15 applications at my office, and a bit of Internet banking, I probably would need 30 odd, unique, passwords.
Which all should be changed every three weeks or so.
And should never be repeated.
If I had to enforce this policy at my company all I would do is encourage the writing down of passwords. Golly-geez, now I am really secure (not!).
So, … I propose that a password policy should be something like this.
– create three, very difficult to guess, passwords of 12 characters or more.
– use one for the office, use one for the internet, and the last one for your personal finances (banks, stocks, etc).
– change the passwords once a year.
The logic behind changing passwords frequently is limit the time of exposure of a breach. Now, if the policy is to change once a month then the mean time of exposure is 2 weeks. Just how much “security” have I got if I limit a bad guy to having only two weeks access?
Using this logic I should require passwords to be change every day, or even better, ever hour! Now THAT would limit my exposure window.
So there it is, convince me that frequent change to passwords improves my security.
Thank you for your input.
Craig
