At work they enforce changing our passwords on a periodic basis, and that's a fairly common security measure in order to avoid having hackers hijack computer resources.  I have learned to accept this grudgingly as a good, yet annoying, process.

However, Steve Gibson of Gibson Research has passed along word from another security guru named Cormac (didn't pick up the last name) that changing a perfectly good non-hacked password on any kind of rational schedule is likely quite pointless.  When he said this (check out the podcast Security Now!, episode 229, "The Rational Rejection of Security Advice") I was at first aghast at the idea, but the rationale for not bothering seems upon some thought to be quite valid.

Consider that if someone who is not supposed to learns your password, when is he going to use it to do something bad?  Right away, or is he going to wait for a couple of weeks?  The answer is, probably right away.  So if you change your password every six weeks, for example, what are the odds that you're changing the password just before someone who has learned your password is going to use it for the first time?  Almost no chance at all!  And if they do learn my password, and use it, I'm going to find out in very short order and change it immediately -- especially if it costs me money (like my bank account getting hacked).  So the whole notion of changing your password periodically only makes sense if the account you're protecting doesn't matter all that much!  Heh.

I listen to Security Now! regularly, and I recommend it for anyone who wants to keep up with security and the mitigation of security threats.

1/6/2010 4:53:03 PM UTC      Comments [0]