Frequent Password Changes Is It Helpful or Does It Hurt?
By Barry Utesch, President TCS
This question depends a lot on the regulations in your industry. The financial and health care industries have made it a requirement that you change passwords regularly regardless of real benefits. Because of this you really don’t have much say so, you just need to comply. A study was done at UNC Chapel Hill on password change frequency and it found that people tended to create simpler passwords that followed a clear pattern when they were forced to change them frequently. For example they might use the same password but add the month and year that it was changed. The primary problem with this is that once a bad guy knows the password their ability to guess future passwords was almost 100%. Obviously this is a problem and so setting a password policy that does not allow any portion of the previous password to be reused is best. However if you’re like me and all you want to do is login and get to work. Having to come up with a brand new password that does not contain any similarity to the last password before you can begin your day is frustrating at best, especially if you’re in a time crunch.
I would suggest that for most small business changing passwords once or twice a year is frequent enough. The exception to this would be if a key person leaves or if there is any possibility that a password has been compromised.
If you’re like me you login to dozens or even hundreds of websites and programs. Keeping up with individual passwords for each of these is not only impractical it is nearly impossible. I know that reusing passwords is not a good idea but I’m not creative enough to have unique passwords for each site. Probably one of the best ways to solve this problem is to use a commercial password management tool. These tools can usually create completely random passwords for you and also automatically populate the password field for you so that you don’t have to remember the password for each site.
In summary; Making your passwords more complex and changing them less often could be a better strategy than having recycled or simple passwords that change frequently.
For more information checkout our website at www.tcsusa.com