Password policies have a place, such as the alternative change in my school’s policy, but mandatory password changes are not the solution.
The Past Pros & the Current Cons
Originally, mandatory changes were viewed as an important security practice, because they were created to regularly lock out unauthorized users who may have learned the authentic user’s password. This sounds helpful, but it is not.
Passwords by definition are contradictory because they must be hard to guess while being easy to remember. Many of us think to get around this predicament, we can keep the same password while making little changes to the first version. This password creation technique is known as transformations, and it is a very appealing way to make a quick and easy new password.
So, where does the problem lie?
Just like I did in college, many of us start with a simple password, and then add on additional characters or replace characters. For example, have you ever changed an ‘s’ to ‘$,’ or an ‘e’ to a ‘3’?
If you have done any of these password alterations then you could be creating a security risk for your company. Most dedicated hackers have a hashed password file that allows them to preform offline attacks by guessing your password. What makes the hashed password file worse is that if you use a similar password for another account then they can easily attack two accounts at once by knowing your first.
Where Do We Go From Here?
Now, you may be confused, because you thought password change frequency was a staple of IT security practice. I know I did for a while, though I was annoyed by mandatory password changes I agreed with their logic. Fortunately, that is not very true anymore. You should really only change your password once or twice a year. However, this does not let you off the hook on creating a strong password, instead, you must create an even stronger password than before. Check out this blog post to see exactly how to do that.
As always, if someone knows your password – change it. Or, if you think someone knows your password – change it.
Does your company have a mandatory password change policy? If so, it may be time to change. Make sure that you start developing passwords that are longer than eight characters and using a mixture of letter cases, special characters, and numbers so you can limit the opportunity for a hacker to figure out your password. Total Computer Solutions, can keep you up to date with all of IT’s best security practices. TCS can help further answer any password or security questions you may have.