After speaking with an advisory firm whose management team requires employees to change certain passwords every three months, I was inspired to help firms establish practical and sane password policies. While password *strength* is vital to security, frequency of changing passwords is not so much.
Here is a link to a super article Kevin Day suggests with tips from security experts about password management (thanks, Kevin!).
It is a short digest of password management, is super practical, and is entirely readable, so don’t be intimidated by the subject matter. After reading, my hope is that you can help influence your management team to institute secure passwords in a way that won’t cause you angst.
Here’s an excerpt (Tip # 5), plus a fun cartoon (are you a fan of XKCD too?) to share with your system administrator to help get the point across. Not only will they really appreciate it, your co-workers will appreciate you helping to create saner security policies!
Don’t Change Them So Dang Often
We’ve touched on this before, but it’s counterintuitive enough that it bears repeating: Don’t change passwords every month. And if you’re an IT admin, don’t force your employees to.
“Admins who set password policies are better off requiring longer passwords and letting users keep them for longer, rather than requiring them to change passwords every one or two months,” says Burnett. “This encourages users to have stronger passwords and avoids simple schemes like incrementing a number at the end of the password each time they have to reset it.”
Passwords are hard. They should be! But it’s better to go through the trouble of making one good one, and sticking with it, than to expect to be able to turn over that many special characters more often than you do the pages on a wall calendar.
So imagine being the office hero, but instead of bringing in
bagels, you help create better security while saving everyone from password headaches.
Please let us know if this article makes a difference to your policies!