Thursday, February 12, 2009
The Stupidity of Forced Password Changes
Changing passwords on a regular basis is supposed to increase security. If someone somehow gets hold of a password you used some time ago (perhaps they took a few months to get through their camera footage at the local wireless hotspot?), hopefully, it won't matter. Centrelink (the organisation responsible for social security services in Australia) enforces password changes after a defined period; I think it's every three months. Unfortunately, I tend to forget my new passwords when I have to change them like this. I believe I pick relatively strong passwords, but as a result, it sometimes takes me a while to memorise them. You can do silly things like changing one character, but I sometimes forget which character I changed. :) I would argue that enforcing password changes like this actually encourages insecure, stupid behaviour like writing them down, because people know they're going to forget their new password!