ADN

http://www.recordonline.com/apps/pbcs.d ... 86/-1/NEWS

AP Lifestyle
Study: Frequent password changes are useless
Published: 8:33 AM - 04/14/10
Last updated: 8:34 AM - 04/14/10

Users hate them. They're a massive headache to network administrators. But IT departments often mandate them nonetheless: regularly scheduled password changes — part of a policy intended to increase computer security.

Now new research proves what you've probably suspected ever since your first pop-up announcing that your password has expired and you need to create a new one. This presumed security measure is little more than a big waste of time, the Boston Globe reports.

Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says.

On the bright side, changing your password isn't harmful, either, unless you use overly short or obvious passwords or you're sloppy about how you remember them. (Many users forced to change their password too frequently resort to writing them on sticky notes attached to their monitor, about the worst possible computer security behavior you can undertake.)

Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher's very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes' averted losses, but few would estimate it's anywhere approaching $16 billion a year.

Bottom line, IT departments: Drop the password-change mandates. You're only creating extra work for yourselves and making the rest of us hate you.

I concur, I almost never change my passwords once I set them to an account unless I have to recover it and they force me to change my password then. Honestly speaking, how often is it that someone will find out your password right before your let's say weekly scheduled password change? Even if this helps a little, all it takes is one log on and you could be totally screwed by the hacker or whoever it is that found out your password. Anyone with common sense would know this but unfortunately common sense is becoming a much rarer trait in society :(

5829 wrote:Bottom line, IT departments: Drop the password-change mandates. You're only creating extra work for yourselves and making the rest of us hate you.

I've been working in IT for 12 years now. How has it ever been extra work for me? Even when I was in the USAF, where 8 character complicated non-dictionary passwords are standard, it was never extra work for me. If you are thinking that it makes extra work for the Help Desk then you are wrong. It helps justify their positions with all the calls they get because people forget their passwords and lock themselves out. That and they are the first line of defense (aka bitching and moaning) when something doesn't work. That prevents me, a system admin, from having to hear shit all day long because I get paid too much to hear bitching and moaning from end users.

But password changes are best practice for security reasons. The end user (you) is merely concerned about their e-mail and internet access and whatever other network resources you use in your job. The IT department is concerned about you screwing up and writing your password on a sticky note and putting it on your monitor. That's why we force things like enterprise antivirus solutions, Group Policy and password requirements - minimum characters, complicated characters, non-dictionary words and even max number of attempts before your account is locked out.

What is worse? You changing your password every 3 months or someone getting your password and screwing up company data with the access that you have and then costing you your job?

Fuck, I am so paranoid of my ex-wife trying to hack my Gmail and bank accounts that I change those on a regular basis too.

I am not against password changes, but some points.

Chances are people who find out your password are not going to wait to use it. So it they are going to do damage it will be done before you get a chance to change it, or even notice that it has been stolen.

It might be a justification for the help desk position, but it also accounts for lost time and productivity for the person who needs their password changed. Especially off shift when there is nobody staffing the help desk and if necessary to call somebody at home. Or they leave a message and they just don't do something that day. Or they use somebody else's login.

The complexity and changes are one of main reasons that people write down their passwords. Along with requiring different passwords for different applications.

A lot of people change their password by only one character. Like changing a 1 to 2 or A to B.

I you are talking about things like spyware, loggers, etc, then it does not matter how complex your password is or how often you change it.

Password recovery options where they ask you a couple of questions and let you enter a new password are also somewhat insecure.

What do I think is the best password protection? The two level RSA SecurID (or something similar). Of course people still forget their pins. And lose the SecurID. But even if they write their pin down, it is better than writing your password down.

But with all the passwords, changing, complexity, etc. Most of the problems come down to one thing - people. Writing down the passwords, giving it to other people, leaving themselves logged on, not locking the pc when they leave (even if it is just for a couple of minutes) and stuff like that.

5829 wrote:I am not against password changes, but some points.

Chances are people who find out your password are not going to wait to use it. So it they are going to do damage it will be done before you get a chance to change it, or even notice that it has been stolen.

It might be a justification for the help desk position, but it also accounts for lost time and productivity for the person who needs their password changed. Especially off shift when there is nobody staffing the help desk and if necessary to call somebody at home. Or they leave a message and they just don't do something that day. Or they use somebody else's login.

The complexity and changes are one of main reasons that people write down their passwords. Along with requiring different passwords for different applications.

A lot of people change their password by only one character. Like changing a 1 to 2 or A to B.

I you are talking about things like spyware, loggers, etc, then it does not matter how complex your password is or how often you change it.

Password recovery options where they ask you a couple of questions and let you enter a new password are also somewhat insecure.

What do I think is the best password protection? The two level RSA SecurID (or something similar). Of course people still forget their pins. And lose the SecurID. But even if they write their pin down, it is better than writing your password down.

But with all the passwords, changing, complexity, etc. Most of the problems come down to one thing - people. Writing down the passwords, giving it to other people, leaving themselves logged on, not locking the pc when they leave (even if it is just for a couple of minutes) and stuff like that.

Most companies do not require complex passwords, at least from my experience. In the USAF it was standard to have complex passwords but after I separated, every job I have held since does not require anything more than 8 character minimum plus a number.

There is no "lost productivity" either. If you forgot your password then you simply make a phone call and it's done. There's probably more lost productivity due to socializing and smoke breaks than there is by the typical password reset that rarely occurs even with large sized networks.

I agree, password changes are a HUGE waste of time...The LastPass extension in Firefox is the best ever for managing all the damn passwords I have to create traveling across the net...Not sure about all the wasted bread or extra work, but whatever...

Über wrote:I agree, password changes are a HUGE waste of time...The LastPass extension in Firefox is the best ever for managing all the damn passwords I have to create traveling across the net...Not sure about all the wasted bread or extra work, but whatever...

I think we're referencing more business related than home/personal use. :silly:

During a recent company password audit, it was found that somebody was using the following password:"MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento" When asked why they had such a long password, they said they were told their password had to be at least 8 characters long and include at least one capital.