top | item 8566957

(no title)

julesmarie | 11 years ago

Forcing password changes every 6 months is only bad policy because it isn't forcing you to change more often.

You are better off helping everyone understand the value of a passphrase vs a password.

This xkcd can help - http://xkcd.com/936/

discuss

My other suggestion to them was a good, required training on how to create passwords/phrases via different methods I have picked up along my way. I tend to keep up with password security theories from here and there, its a sort of a passion of mine considering how integral they are to our lives now days.

I have just always thought the forced changes were unnecessary if the password was strong enough to begin with, and managed in a proper/secure way on the server end. Because it doesnt matter if they password is one day, or 6 years old, the chances are that unless you are high priority, an attack on your password is a here and now event, not a prolonged attack (unless you are a direct target). Even in the event of prolonged attacks, there should be other measures in place to mitigate that avenue of exploit.

My only beef with non forced has been that over time, I feel the tendency for that particular password to be reused on multiple accounts would increase, therefore weakening it.

Like all theories though, I like to keep any open mind to all outlooks, I am by no means an expert. I just know that our policy's make me uncomfortable.