Educause Security Discussion mailing list archives
Re: Frequency of password change
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 23 Aug 2005 09:02:20 -0400
Gene Spafford wrote:
I know this has been a topic here before, but I failed to archive the info. Does anyone have references to any good studies that show that changing passwords once a month (or every 8 weeks, etc) is too FREQUENT and leads to more cases of people forgetting passwords, picking trivial passwords, writing them down, etc.
Another topic to explore is the number of security incidents that an organization has experienced that would have been prevented by more frequent password changes. If that number is low, it would seem logical to expend limited resources (and end user patience) on other areas of vulnerability. Not that changing passwords is a bad thing. But it can be taken to extreme when the proper way to solve the problem that frequent changes are trying to address is multi-factor authentication or OTP. -- Gary Flynn Security Engineer James Madison University
Current thread:
- Frequency of password change Gene Spafford (Aug 22)
- <Possible follow-ups>
- Re: Frequency of password change Brian Wheeler (Aug 22)
- Re: Frequency of password change Penn, Blake (Aug 22)
- Re: Frequency of password change Gene Spafford (Aug 22)
- Re: Frequency of password change Gary Flynn (Aug 23)
- Re: Frequency of password change Melissa Guenther (Aug 23)