Yesterday, during an interesting conversation on Twitter upon which I shamelessly eavesdropped, the concept of frequently changing passwords being a security vulnerability came up. One of the participants in the conversation (attribution below) posted an article about that very topic. Of course, being a curious sort (why else would I be eavesdropping on other people’s conversations in Twitter? Just because they scroll past the edge of my browser window??), I went to check the article out. CERIAS Weblogs » Security Myths and Passwords is the first of a two-part article that looks, in depth, at why the tried-and-true advice of changing your password frequently may not be the best policy for your organization. I’ve got to say that the arguments were persuasive. We have issues with our staff when it comes to changing passwords – mostly because our part-time staff rarely log into a computer using their own user/pass combo. They use a generic one that works on the desk machines and, as such, they don’t get notices that their password is about to expire. They just can’t log into the web-based email application one day and don’t necessarily realize why! Others seem to have a hard time coming up with a password that is sufficiently complex for our system and still memorable (ok, maybe not just others – I’ve hit this particular issue myself…). Not that I’m about to do away with our password changing policy tomorrow – but the post makes some good points!
What I really liked about the post was the methodical way in which the author made his points. He goes through each of the common ways that people “lose” their passwords to bad guys and shows that most of them don’t seem to be mitigated by the regularly changed password policy. He claims that the “best practice” in this case might not be the best practice for every organization and he suggests that each organization undertake a risk analysis to determine if the frequently changing password policy actually does minimize their risk of getting hacked.
As I mentioned earlier, there is a second part to the article (linked at the bottom of the first post) in which he clarifies some of the questions, concerns and arguments made in the 120 comments left on the first part. Both posts are well worth reading if you have a say in your organization’s security policy. Like I said, I’m not sure ditching the policy is the best choice for us – but it got me thinking about what might actually be the best choice, security wise, for our library…
From the Travelin’ Librarian, Michael Sauers, via Twitter.
