Re: Frequency of password change

[Melissa Guenther <mguenther () COX NET>]

Here's one viewpoint:
Consider the "sensitivity of the resources which you are trying to protect"
and suggest "enforcing password changes somewhere between once per fiscal
year and once per fiscal quarter". Just use good judgment and don't be lazy.
Changing a password is relatively quick and painless compared to the
irritating and expensive process of combating identity theft.
I also promote ways to construct passwords in a way that is a systemic
approach - having a few strong passwords, then drop one or two characters
and add replacement characters - somewhat of a rotating approach.  I am very
sensitive to balancing protection with production!

Melissa
----- Original Message -----
From: "Gary Flynn" <flynngn () JMU EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Tuesday, August 23, 2005 6:02 AM
Subject: Re: [SECURITY] Frequency of password change


> Gene Spafford wrote:
>
> > I know this has been a topic here before, but I failed to archive the
> > info.  Does anyone have references to any good studies that show that
> > changing passwords once a month (or every 8 weeks, etc) is too  FREQUENT
> > and leads to more cases of people forgetting passwords,  picking trivial
> > passwords, writing them down, etc.
>
> Another topic to explore is the number of security
> incidents that an organization has experienced that
> would have been prevented by more frequent password
> changes. If that number is low, it would seem logical
> to expend limited resources (and end user patience)
> on other areas of vulnerability.
>
> Not that changing passwords is a bad thing. But it
> can be taken to extreme when the proper way to solve
> the problem that frequent changes are trying to
> address is multi-factor authentication or OTP.
>
> --
> Gary Flynn
> Security Engineer
> James Madison University