I am in the middle of writing a post on the topic of password aging but happened to come across this related article based on the recent Twitter password breach. In it the author discusses how changing passwords every 60 to 90 days is basically a waste of time in that it only frustrates users. He goes on to recommend using longer passwords or passphrases that never change instead. Other suggestions include implementing single-sign-on (SSO) to reduce the number of passwords a user has to remember and using randomly generated passwords stored in a vault protected by one really strong password. Look for more on this topic from us in the next few days…
It is likely that the hackers, who gained access to multiple Twitter accounts and started sending spam tweets asking for $250, were able to accomplish their goal thanks to the widespread practice of using weak passwords for convenience or, worse, using the same password everywhere. Ironically, it could be password security requirements that make such behavior so common.
For instance, prevailing dogma holds that security passwords should be complex and frequently changed. But Andrew Jaquith, CTO of Perimeter E-Security and former Forrester analyst on password security, offered a countervailing opinion in an emailed statement to Infosecurity.
“Requiring employees to change their passwords every 90 days just annoys them, and they will do highly insecure things to cope as a result,” he said. “They will scribble passwords on sticky notes, re-use the same password everywhere or make the absolute smallest changes to their passwords that they can while still complying with policy.”
Do you think changing passwords every 60 to 90 days is a waste of time assuming we already have complex passwords? Let us know in the comments below. Today’s post pic is from TheGeekStuff.com. See ya!