Educause Security Discussion mailing list archives

Re: Frequency of password change

From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 23 Aug 2005 09:02:20 -0400

Gene Spafford wrote:

I know this has been a topic here before, but I failed to archive the
info.  Does anyone have references to any good studies that show that
changing passwords once a month (or every 8 weeks, etc) is too  FREQUENT
and leads to more cases of people forgetting passwords,  picking trivial
passwords, writing them down, etc.


Another topic to explore is the number of security
incidents that an organization has experienced that
would have been prevented by more frequent password
changes. If that number is low, it would seem logical
to expend limited resources (and end user patience)
on other areas of vulnerability.

Not that changing passwords is a bad thing. But it
can be taken to extreme when the proper way to solve
the problem that frequent changes are trying to
address is multi-factor authentication or OTP.

--
Gary Flynn
Security Engineer
James Madison University

Current thread:

Frequency of password change Gene Spafford (Aug 22)
- <Possible follow-ups>
- Re: Frequency of password change Brian Wheeler (Aug 22)
- Re: Frequency of password change Penn, Blake (Aug 22)
- Re: Frequency of password change Gene Spafford (Aug 22)
- Re: Frequency of password change Gary Flynn (Aug 23)
- Re: Frequency of password change Melissa Guenther (Aug 23)