Changing your password – is a waste of time

And, apparently, money, according to Microsoft.

I have never been a huge fan of the whole “you should change your password every 3 months” camp. I know that there are many admins out there that do follow this to the “T”.  If I remember correctly, this went back to at least the NT 4 days – and probably earlier versions, as a standardized setting. And we, that have been in the business that long, have just sort of gone along with the flow rather than run the risk of not following “Industry Best Practices” (IBP). God forbid if we DID change that setting, THEN risk the wrath of upper management or analysts asking, “Did/Does this follow industry best practices?” – usually looking for a scapegoat for some unrelated foul up.

The only thing needed to change this annoying behavior is to hunt the setting down and change it in security policies. And, voila, annoyance gone. And in my experience, it really cuts down on frustration with end users.

On my own internal servers, I don’t believe in changing passwords at all if I can help it. Even on my external facing servers, I still am not a huge fan of changing passwords with any regularity. Changing passwords happens most frequently for ME when for some reason or another, I can’t remember it or it gets jumbled in my LastPass. Or if it seems as though there may be a breach in there…

For those of you that don’t use it, LastPass is an awesome password manager. It DOES allow you, for example, to use some ungodly long passwords without having to type them in every time.  My passwords currently range from15 characters on up to about 30 characters now as opposed to shorter 5-10 character passwords.

I literally have well over a thousand passwords via the web that LastPass CAN handle. It doesn’t handle things like domain logon passwords, VPN passwords, or any other system level passwords (rather what this article IS devoted to – but the premise is the same) so it is of limited use for remembering your passwords, but it does go a long way towards helping out.

I personally am tickled about this finding by Microsoft. Maybe now administrators across the world can get back to doing something useful – rather than “You changed your password earlier today, and now you can’t remember it?  Yeah, I can reset it.”

Read the article here: http://www.techeye.net/security/changing-your-password-is-a-waste-of-time

Author: Eric Erickson

Share This Post On

Submit a Comment

Your email address will not be published.