Study: Frequent password changes are useless

Study: Frequent password changes are useless

Users hate them. They're a massive headache to network administrators. But IT departments often mandate them nonetheless: regularly scheduled password changes — part of a policy intended to increase computer security.

Now new research proves what you've probably suspected ever since your first pop-up announcing that your password has expired and you need to create a new one. This presumed security measure is little more than a big waste of time, the Boston Globe reports.

Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says.

On the bright side, changing your password isn't harmful, either, unless you use overly short or obvious passwords or you're sloppy about how you remember them. (Many users forced to change their password too frequently resort to writing them on sticky notes attached to their monitor, about the worst possible computer security behavior you can undertake.)

http://news.yahoo.com/s/ytech_wguy/20100413/tc_ytech_wguy/ytech_wguy_tc1590

so there

heh

I've had the same password since 1992, and noone has guessed what it is yet.

Since '98.

I've been using the same one (whenever possible) since 1982.

The newer systems I am on require a number in the password, so it is <password>1.

When it is time to change it, I do so, and then log in as root and change it back (It's good to be the king).

"MickeyMinniePlutoGoofeyDonaldHueyDeweyLouieSacramento", was so long?

She said she was told her password had to be at least eight characters and a capitol.

at a place where I had to sign in to about four different computer systems every day. One never required me to change my password. The other three required me to change but each one was on a different change schedule. It wasn't long before I had FOUR different passwords, because I couldn't go back and use an earlier one for something like three cycles of the password change. I was having a lot of trouble remembering which password when with which system, and about twice a week I'd lock myself out of a system, because I'd tried the wrong password too many times in a row and would have to call IT to get me back in.

I HATED it.

The other thing that makes me crazy is how some systems absolutely insist on at least six characters, others require seven or eight, and they'll have different requirements about numerals being mandatory, or at least one letter capitalized. So while I've been using the same password on a bunch of things for about ten years, I keep on having to dream up new ones which I can never remember.

Oh, and you're never supposed to write them down anywhere.

A password you can remember is a lot more secure than one you have to keep written down on your desk!

...and that's what's important.

I have to change about 5 passwords at work once every 30-90 days. Each password has different requirements and different intervals when they must be changed, so you can't use the same one for all. It also has to contain upper and lower case, numbers, and special characters, so you can forget using something that's easy to remember, like your pet name for your wife's left breast. So you either have to write it down somewhere, or call IT every Monday to reset your passwords when you've forgotten them over the weekend.