Sunday, August 28, 2016

Security - Frequently changing your passwords is bad

     It's been said so many times that it has become an unchallenged mantra -- "periodically change your password".  In fact, a number of websites I visit force me to change my password after a set period of time.

     But, what if that mantra was wrong.

     According to the Federal Trade Commission's chief technologist, Lorrie Cranor,
users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)
See link.  Personally, I hate being forced to change my passwords because I can never remember them.  Hopefully, this advice along with a more careful security management policies will lead websites to change their mandatory password changing policies.

- Henry Park

No comments:

Post a Comment