Changing Passwords

Dr. Eugene Spafford has some harsh words for the practice of requiring monthly password changes. After looking at all the ways in which a password might be compromised — disclosure, inference, exposure, loss, guessing, cracking, and snooping — he concludes convincingly that there is no solid case to be made for mandating that users change passwords periodically.

Defintely interesting stuff. But more interesting was Spafford's story about how changing passwords became a "best practice".

Back in the days when people were using mainframes without networking, the biggest uncontrolled authentication concern was cracking. Resources, however, were limited. As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years. As time went on, auditors began to look for this and ended up building it into their “best practice” that they expected.

So there you go. Take this to your sysadmin the next time your office computer tells you your password is about to expire.