Challenging Conventional Password Wisdom
By Leo Notenboom
Leo questions the conventional wisdom of changing passwords periodically.–PC Pitstop.
I read many articles (including some on Ask Leo!) that recommend that people should change their passwords from time to time. But what is good practice in this respect? Should it be related to frequency of use? For instance, some passwords are used frequently, some less often, and some rarely. Or should it be related to the level of security needed? For instance, passwords for online banking are more sensitive than passwords for magazine subscriptions.
Good practice in a corporate environment seems to be to force network and other password changes every 30 days or so. This would seem to be overkill in the home environment as it could result in some accounts being accessed more often to change a password than to do anything else.
Unless you get into a good routine, like when you do data backups, password changes will only get done sporadically, if at all.
Do you have a view on how to build such a good routine?
As you say, routines for things like this are difficult to set up, and if not automated, they are easily forgotten. Automation may be the answer in many cases, but it’s not always available – at least not in a convenient form.
But before we even get to that, I want to talk about that “change your password periodically” rule of thumb.
I’ve changed my mind on it.
This excerpt appears with permission from Leo Notenboom.