A little off the topic, but can anyone explain the theory of password security to me? Specifically, how does requiring me to periodically change my password improve security?
Like most of you, on some of my online accounts I am reminded every few months that I must change the password. Apparently, this is supposed to make it harder for anyone to hack into my account. But how so? I argue that requiring periodic password changes significantly weakens security. Reasons why:
1) If I never have to change my password, then I can come up with a really complicated one that will be hard to figure out.
2) If I have to change my password periodically, then it is impractical to come up with something really complicated as I won't be able to remember it and will just end up getting my account suspended for password failures. Therefore, I will do one of these things:
- Make the password really easy so I can remember it. (Isn't this why "password" is the most popular password?)
- Use the same easy password on all my accounts so I can remember them.
- Write the passwords somewhere so they will be readily available, like on a piece of paper in my wallet, or on a sticky note on my monitor.
- All of the above.
Of course, these actions kind of go against the objective of password security.
I have heard only one semi-plausible argument for requiring the changing of passwords. This is the scenario of someone surreptitiously obtaining your password and getting into your account without your knowledge. You may never detect they have been using your account. However, they can no longer do this once you change your password.
I grant that this could happen, but really, is this the best argument IT security officers can come up with? If they got into my bank account, wouldn't they drain it immediately, so I'd realize someone had broken in? If they got into my email account to peruse my correspondence, wouldn't they be delightfully entertained by the repartee of which I partake? And if they got into my LinkedIn, wouldn't they be impressed by my credentials and extensive social network of important figures in the world of business forecasting?
Please, IT departments of the world, end this nonsense of requiring the periodic changing of passwords. Or else come up with a better reason why it is such a good idea.
Are there good reasons to change passwords? Please advise...
2 Comments
Although I generally agree with you (and don't get me started on "never write it down") its the "small ticket" items like email, facebook, LinkedIn, etc, etc than can cause the long term problem. If someone gets your complex bank account password, then they've probably got your password for most of the other services you use online (because you've made it complex and hard to guess you've probably reused it everywhere). Identity theft is a short step away, and the first time you'll know about that is when the bank is asking why you haven't kept up the payments on the 50k loan you took out last month. Agreed, this event will make you aware that someone's got your password, but its a painful way to find out.
I used to work in IT and security was part of my remit. As far as passwords were concerned, my take was:
1) make it long or complex (long is better),
2) have a few characters within it that you can easily change and re-remember,
3) if you want to write something down, write down only the bits you won't remember and leave a hint for the rest, and put it somewhere out of context (i.e. not stuck to your monitor!).
If your reminder doesn't look like a password (e.g. "garden$gate then dob, this month" meaning perhaps "garden$gate03057510") then by all means stick it in your wallet. I'm certainly more paranoid about losing my wallet in the office than leaving some random bit of paper on my desk accidentally.
It needs to be a pragmatic approach, but some IT Security Officers just don't try to balance security and usability.
I can't comment on if/why changing passwords makes you more secure. But, I do remember my passwords. I use long words or phrases that ARE memorable to me and then I swap out some of the letters or words for special characters and numbers. I end up having a password that is strong but still relatively easy to remember.