Password Changes, Once Again

Patrick Avery

When I logged into my computer this morning, I got a message I dread but know is coming every few months. "Your password will expire in 14 days. Do you want to change it now?"


Now don't get me wrong, I like having a secure computer, but I hate having to change my passwords. With all of the e-mail, banking and other accounts I have on my computer and the Internet, it's frankly hard to keep up with all the passwords, particularly if you follow the guidelines suggested for protecting your passwords. For instance, the guidelines ask that I not tell anyone or write down my password. In addition, the password should not be related to something personal and should have a combination of letters and numbers.


But the fact is these regular password changes help maintain my data and provide an excellent level of protection. And it's not like I have a choice. Many businesses have password policies and require users to come up with a solid password.


I'm just going to have to get used to changing it every couple of months and feel good about having secure data. Check out the Knowledge Network documents linked to in this article to help you, too, maintain a secure computer.


For the latest Knowledge Network updates, follow us on Twitter.

Add Comment      Leave a comment on this blog post
Mar 4, 2009 3:09 AM GL GL  says:

We assume changing our passwords makes us more secure, but does it really?

Is there any hard evidence that scheduled password changes actually makes you more secure?

What's proven to be the optimal interval, 30 days, 60, 90?

Does frequent password changes make people more prone to record them in a n unsecure manner?

What's more important, length or complexity?

Mar 4, 2009 3:12 AM Patrick Avery Patrick Avery  says: in response to GL

For answers to your questions, please follow this thread ( in the discussion area.

Mar 4, 2009 3:25 AM Philip Lieberman Philip Lieberman  says:

I have never understood the rational of regularly changing a password that is secure and has not been compromised.  To my knowledge the need to keep changing the password is to stay ahead of those who are trying to crack your password using some sort of brute force attack.

You could argue that if your password is sufficiently complex and of great enough length, no brute force attack would be effective and the need to change the password would not be needed.

The last reason that IT could give for this requirement would be that they believe that someone else knows your password (i.e. shoulder surfing or you disclosed it voluntarily) and that shared knowledge is now a bad idea.

Of course, if you use your current password on other sites, if this password were to be disclosed (i.e. bad web site security), a hostile agent could potentially take over your account elsewhere. 

The best reason to change your password is due to the Conflicker virus.  Of course, you should probably check out the password you choose to make sure it is now on the "list".  See:

On the other hand, your organization should not have you running as a local administrator on your machine, and hopefully they have upgraded you to a more secure operating system such as Vista, Server 2008 or the upcoming Windows 7. 

That annoying UAC feature has a nice side effect of protecting your machine and security...and may giving you a break from having to change passwords so often!

Ultimately, your company may upgrade to a SmartCard or token based logon system that could eliminate the need for passwords altogether.  The number of companies that have done this is pretty small, but it is a nice upgrade from typing in all of those credentials.  Identity Management has come a long way in the last 5 years, but most companies have not caught up.


Philip Lieberman


Lieberman Software Corporation

Mar 4, 2009 3:33 AM Philip Lieberman Philip Lieberman  says: in response to GL

Both length and complexity are at issue for decryption. The technology known as Rainbow Table Attacks (see Google for more) allows most short passwords (less than 8 characters in length) to be decrypted in minutes if an attacker has access to the raw hashes stored on the computer.  This assumes physical access to the machine with the passwords is possible, or there is a vulnerability that would allow the password hashes to be extracted remotely via an exploit.  Long passwords of 14+ characters in length not composed on off-the-shelf dictionary (or LEET variations thereof) based words are not reasonably crackable.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.