>I’m surprised by how many sites and IT departments continue to force users to change their passwords every 30, 60, 90, 180 days. I find this practice annoying and wonder why everybody thinks this is a good idea. And why this is still considered a best practice.
There are now more opinions to back up my thoughts:
- Password Rules: Change them every 25 years
- Password change myth discounted
- Please do not change your password
But, in spite of this, many IT systems still believe that changing your password every 90 days or so makes things more secure.
Don’t get me wrong, security is important. It needs to be job one in every application that stores anything about me and in every IT department. Protecting my data is very important to me and I don’t want to do business with a company that doesn’t believe security is important.
I do believe that you are more secure with a longer password. And I would rather have a long password than be forced to change my password every 90 days. The problem is that sites make the determination for me by forcing me to change my password. Since long passwords are harder to come up with and remember, I end up with shorter passwords because I take the path of least resistance.
Why am I so worried? In a 3year old post, Jeff Atwood, taking about a specific password cracking program in his Coding Horror blog says, “this attack covered 99.9% of all possible 14 character alphanumeric passwords in 11 minutes”. The problem is only getting worse. Some of the new cracker programs take advantage of the massive amount of processing power in the nVidia graphics processor chips cutting the time it takes to crack passwords by 60% or more.
Yet I’m still forced to change my password on some sites. So I go with shorter passwords because coming up with longer passwords is difficult and I don’t want to do that every 3 months. Why is it so hard to get IT people, including myself at times, to acknowledge how security risks have changed and to change our behaviors? And to change “best practices”?