Is it helpful to change passwords regularly?
Comments
-
One thing I've always wondered about is the benefit of being forced to change your password frequently. I work somewhere with no rules on when or how often passwords should be changed, and obviously leads to some people never changing their password, but a friend of mine works for a company where he has to change his password every 6 months. Each password has really stringent requirements in that it must have upper and lower case characters, as well as numbers and at least one printable punctuation character, and be over a certain length. Also, it must never have been used before.
Once you've got a strong password, why should it need to be changed? I'm not convinced that the physical metaphor of a "moving target" really applies.
Someone once tried to answer my question by saying "your password could be cracked, giving someone access to a system, but they don't do anything with it immediately, rather waiting some length of time before doing something nefarious". I don't believe that; surely once someone's in, they're in - all bets are off from that point onwards.
There's also the counter-argument that says if you require someone to change their password every six months to something nigh-on impossible to remember, they're going to write it down somewhere, thereby actually reducing security rather than increasing it.
0 -
Advice to change passwords regularly presupposes password reuse. If you are using unique passwords everywhere it isn't generally worth the effort. From a security standpoint, hackers don't normally sit around waiting to use a password. They will try to use it right away. So, in that sense, it doesn't matter how many times you changed the password in the past several months. An attacker who gets the current one will — well, he'll have the current one. :)
I always thought it was a bit like preemptively rebuilding your house every year because you live in an earthquake zone. It doesn't really do a lot of good and ends up being a lot of work. When an earthquake hits any damage will be to the current house not one you already tore down.
That said, one of the benefits of using 1Password is that you can change passwords regularly (if required to do so by an employer, for example), use unique ones everywhere, and it hardly makes a difference since 1Password is generating and remembering them for you. The cognitive burden is not increased since 1Password is doing the heavy lifting. As a 1Password user, you have the luxury of using your brain for more interesting things…like raising this great question.
0