A little off the topic, but can anyone explain the theory of password security to me? Specifically, how does requiring me to periodically change my password improve security?
Like most of you, on some of my online accounts I am reminded every few months that I must change the password. Apparently, this is supposed to make it harder for anyone to hack into my account. But how so? I argue that requiring periodic password changes significantly weakens security. Reasons why:
1) If I never have to change my password, then I can come up with a really complicated one that will be hard to figure out.
2) If I have to change my password periodically, then it is impractical to come up with something really complicated as I won't be able to remember it and will just end up getting my account suspended for password failures. Therefore, I will do one of these things:
- Make the password really easy so I can remember it. (Isn't this why "password" is the most popular password?)
- Use the same easy password on all my accounts so I can remember them.
- Write the passwords somewhere so they will be readily available, like on a piece of paper in my wallet, or on a sticky note on my monitor.
- All of the above.
Of course, these actions kind of go against the objective of password security.
I have heard only one semi-plausible argument for requiring the changing of passwords. This is the scenario of someone surreptitiously obtaining your password and getting into your account without your knowledge. You may never detect they have been using your account. However, they can no longer do this once you change your password.
I grant that this could happen, but really, is this the best argument IT security officers can come up with? If they got into my bank account, wouldn't they drain it immediately, so I'd realize someone had broken in? If they got into my email account to peruse my correspondence, wouldn't they be delightfully entertained by the repartee of which I partake? And if they got into my LinkedIn, wouldn't they be impressed by my credentials and extensive social network of important figures in the world of business forecasting?
Please, IT departments of the world, end this nonsense of requiring the periodic changing of passwords. Or else come up with a better reason why it is such a good idea.
Are there good reasons to change passwords? Please advise...