The Working Guy

Study: Frequent password changes are useless

Related Quotes
Symbol Price Change
^DJUSS 518.80 +3.99
^IXIC 2,524.14 +5.07
^IXK 1,278.75 +0.94

Users hate them. They're a massive headache to network administrators. But IT departments often mandate them nonetheless: regularly scheduled password changes — part of a policy intended to increase computer security.

Now new research proves what you've probably suspected ever since your first pop-up announcing that your password has expired and you need to create a new one. This presumed security measure is little more than a big waste of time, the Boston Globe reports.

Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says.

On the bright side, changing your password isn't harmful, either, unless you use overly short or obvious passwords or you're sloppy about how you remember them. (Many users forced to change their password too frequently resort to writing them on sticky notes attached to their monitor, about the worst possible computer security behavior you can undertake.)

Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher's very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes' averted losses, but few would estimate it's anywhere approaching $16 billion a year.

Bottom line, IT departments: Drop the password-change mandates. You're only creating extra work for yourselves and making the rest of us hate you.

Christopher Null is a technology writer for Yahoo! News. 

Follow me on Twitter and join me on Facebook!

Follow Yahoo! News on Twitter and join us on Facebook!

Related Searches:

448 Comments

  • 418 users liked this comment Please sign in to rate this comment up. Please sign in to rate this comment down. 36 users disliked this comment
    Kithy Tue Apr 13, 2010 11:34 am PDT Report Abuse
    That's good to know. Now to foward this finding to my IT department...
  • 140 users liked this comment Please sign in to rate this comment up. Please sign in to rate this comment down. 44 users disliked this comment
    ookami Tue Apr 13, 2010 11:52 am PDT Report Abuse
    It's not about "changing locks" as it is making it harder to acquire passwords in the first place. And a stolen password might get changed in 3 months, but I bet that user will use the same password in the future.
  • 263 users liked this comment Please sign in to rate this comment up. Please sign in to rate this comment down. 109 users disliked this comment
    Steven S Tue Apr 13, 2010 11:55 am PDT Report Abuse
    This article looks at the issue at one level - a stolen password. While changing passwords often might not prevent unauthorized access in that event, it can prevent problems in other areas. Often times, in larger companies, employees leave and nobody notifies the IT Department. A password that expires in 30 days at least limits the long-term problem of continual access in that case. Co-worker snooping is at least slightly mitigated by password changes. The problem of unauthorized access because someone selected "remember password" on a public computer is also reduced.

    I could go on and on. To say that changing passwords is useless is certainly going a bit overboard.
  • 169 users liked this comment Please sign in to rate this comment up. Please sign in to rate this comment down. 34 users disliked this comment
    Yahoo Jack K Tue Apr 13, 2010 11:55 am PDT Report Abuse
    I have always contended that frequent password chages were counter productive so I am glad a study has shown that. Password changes can not substitue for poor network managment, poor firewalls, storing data insecurely, etc. Occassional challenge questions are much better and should always be required when log on is coming from a public computer or one not already known to the network.
  • 142 users liked this comment Please sign in to rate this comment up. Please sign in to rate this comment down. 276 users disliked this comment
    mcboozerilla Tue Apr 13, 2010 11:55 am PDT Report Abuse
    Yahoo Tech writers are useless.
  • 98 users liked this comment Please sign in to rate this comment up. Please sign in to rate this comment down. 5 users disliked this comment
    Rich Tue Apr 13, 2010 12:29 pm PDT Report Abuse
    @Steven - An inactivity policy is usually in place to automatically lock accounts that have been neglected/unused for a period of time. This takes care of former employees as well as helps track who doesn't really need an account because they're not using it.

    On DoD systems, the 60-day password change (and 15 digit passwords with complex, strict rules) make it a huge pain. Instead of stickies, look for a password management widget like KeePass or any of the others... as long as then encrypt their file. I've got 38 different accounts/passwords and it's the only way to stay sane...
  • 99 users liked this comment Please sign in to rate this comment up. Please sign in to rate this comment down. 8 users disliked this comment
    William Tue Apr 13, 2010 12:33 pm PDT Report Abuse
    Somehow, I don't think this one article is going to change my IT department's long-standing policy of mandated password changes every 60 days. In fact, over the course of 20 years, the policy has gotten more stringent, working its way from 180-days to the current 60-days. Also changed was "6-8 characters" to "minimum of 16, with 2 upper case, 2 numbers, and 2 special characters".

    dmw/IT-ib4urh1th!
  • 47 users liked this comment Please sign in to rate this comment up. Please sign in to rate this comment down. 46 users disliked this comment
    David Tue Apr 13, 2010 12:33 pm PDT Report Abuse
    You have to have a system for regular password changes. I use 4 alphabetic strings, call them A, B, C and D and 4 numeric strings, call them 1, 2, 3, and 4. I rotate passwords going from A1, A2, A3, A4, B1, etc. We are also required to have special character in the password. When I change passwords, I change the special character and insert into a different place - at the beginning of the password, in the middle, or at the end. This way, I always know what my new password will be and I 'remember' passwords several cycles back.
  • 113 users liked this comment Please sign in to rate this comment up. Please sign in to rate this comment down. 38 users disliked this comment
    Guru Sharma Prasad Tue Apr 13, 2010 12:59 pm PDT Report Abuse
    You have no idea how many idiots share their passwords or write it on their monitors or on a stick part somewhere on their desk, such as on or under the keyboard. Password change means nothing if you constantly post your password in obvious places. In addition, if you're always exposing yourself to virus and spyware infections, then changing your password will do nothing to help you. You are a lost cause. Quit your job and go hide in a barn somewhere.
  • 39 users liked this comment Please sign in to rate this comment up. Please sign in to rate this comment down. 39 users disliked this comment
    Westsider Tue Apr 13, 2010 12:59 pm PDT Report Abuse
    No wonder has problems. I bet victim Google and those other 34 hacked corporations had a policy to change passwords frequently. Everybody in China had the passwords and the Interweb cops still can't pinpoint 1 person.

Post a Comment

Sign in to post a comment, or Sign up for a free account.