Do not force Period Password Changes

Every 90 day my employer forces me to change my password to our systems. And I hate it!

But I don´t hate it that much anymore since I found out that they only keep track of my 10 latest passwords. And that the password lenght is just 10 characters. So I have invented a password short enough to remember and just changes the last digit from 0 to 1, to 2, to 3 and so on. And after 10 times 90 days it is time for me to change my password back to the originally Beefb4b3!0 again.

 

So, what good does it do to enforce me to circulate between Beefb4b3!0, Beefb4b3!1, Beefb4b3!2 and so on every 90 days?

 

“Oh, the hacker that gets your password will lose access within 90 days when you change your password”

Yeah. So if someone gets my password without my knowledge, do you really think that I will never notice that? Will the haxxer not destroy anything that makes me aware that I have been hacked? And most important: will the haxxer not first of all install some kind of backdoor to get access to my system/computer even without future access to my current password?

 

If the reason to change password periodically is to make sure that noone can reuse my current password, then we should have ONE TIME passwords. Those are safe! If someone peeks over my shoulder to see my OTP they are welcome. .-)

 

If I will ever be a sysadmin or in a position where I set the rules for password I would do like this in my organisation:

  1. Educate the users to NEVER share password with anyone and NEVER write them down. And IF they suspect that someone knows their password, they should treat it like a lost credit-card: report it immediately!
  2. Stimulate the users to be creative with their passwords in order to make passwords that they never forget.
  3. Set the minimum password lenght to at least 15 characters. Not require caps/numbers or special characters.
  4. Most important: NOT force users to change password periodically.

 

That´s my dream! 😉

 

Do you agree? Disagree? There are many strong opinions in this subject. Please comment and give feedback on this post, I appretiate it!

Tagged with: , ,
Posted in General Networking

Leave a Reply

Your email address will not be published.

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test