Passwords to protect computer-based data have been around, well, forever, and it seems like every day, someone is asking me to create a user ID and password to visit a site. In tandem, the age-old wisdom is to frequently change your password to improve security -- and some organizations don't give you a choice in the matter. Password programs require a new password be set up every 60 or 90 days.
But now, a study by Microsoft researcher Cormac Herley finds that changing passwords is a waste of time. In a Boston Globe article, it was reported:
Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you've switched to a new one, Herley wrote. That's about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
Surely, I wasn't the only one who had a "wow, really?" reaction to this report, so I decided to get in touch with Roger Thompson, chief research officer at AVG Technologies for his take on the study. His response: He agreed, mostly. Thompson told me:
I think it's absolutely pointless telling people to change their password every month. I also disagree with the idea about never writing your password down. This sort of advice made sense when people only logged in to one or two places, like the corporate network, and maybe an e-mail address somewhere.
With the proliferation of sites and applications needing passwords, he added, it isn't realistic to think every password can be changed regularly and be remembered. Thompson did say it is important to not use the same password for everything, a point made by IT Business Edge's Paul Mah as well. Thompson, however, said :
If you use the same password for all accounts, and one website leaks it somehow, you lose the keys to the kingdom, and you might not even realize it. In my opinion, a better plan is to have multiple passwords, write them down, and store them in your wallet or in a password manager. At least if you lose your wallet, you know you have to cancel all your credit cards, and change your passwords.
Mah has some interesting tips in this post for creating strong passwords.