Your password will expire in 14 days

Published
by
Alexander Wrege
on April 3, 2007
in better password, network security and password
.

Every couple of months the university computer systems sends each user an automated message asking them to change their password if they want to continue to use the university’s email, grading, placement, and billing systems as well as their own work stations. I find this a major hassle, but comply nonetheless.

Why a hassle?

It requires me to reenter the password in every email application I have installed on my three computers. It also requires me to re-authorize my LDAP access as well as WebCT. I sometimes feel that I just got caught up on re-entering all the info when I am asked to change the password again.

The other day, Revathy and I were talking about her persistent issues with her computer and password authentication and then today I stumbled upon Chris’s entry on his blog. (Chris is in IT.)

So now, there is only one person to convince. Sorry for my rant, Russ.

Here’s what Chris wrote to people like him (yep, this is for you Russ):

Dear Microsoft and systems administrators,
The common practice of forcing people to change their passwords periodically makes them less secure, not more secure. Please stop it.
This is the most unresearched, and insecure tactic for network security ever. Forcing the password to be significantly different from the last password is even worse. The reason is simple: People can’t remember all these fucking passwords and their variations, so they WRITE THEM DOWN. If they are at least a little savvy, they store them in an email draft to themselves for easy, but password protected, access, but mostly, they put it on a scrap of paper that will be easy to find. The first place would-be office “hackers” look for passwords? Sticky notes on computer monitors. 60% of the time, that works every time. The other 40% of the time, it’s on a little scrap of paper in the drawer or under a keyboard.
I don’t know who started this myth, or propagates it, but Google has never once asked me to change a password. What do they know that you don’t? A lot obviously. I use a good, secure, safe password on all my accounts. On most of them it is the SAME password. I can type it without thinking. I don’t forget it. It has never been hacked.
Enforcing good password standards does make sense and is proven to make them more secure. Include a capital letter, a number, and a special character. Great. Helpful. Important. (I did have a network that enforced a 6 character LIMIT on passwords. That means you can’t have more than 6 characters. How fucking dumb is that!? Enforcing standards to make the password weaker…)
The bottom line is really, really simple. Stop making people change their passwords. You are weakening your security and making our lives more difficult.
Sincerely,
~chris

0 Responses to “Your password will expire in 14 days”

Feed for this Entry Trackback Address
  1. No Comments

Leave a Reply