Password Aging

In many large bureaucracies these days, it is fashionable to have a policy which requires changing passwords every x days (which is often referred to as password aging). Typically these are every 90 days or so, but examples have ranged from as little as 10 to a year or more. These policies are typically applied in a blanket fashion to all systems.

This is a mistake for two reasons:

  1. It implies that all systems are equal. This is clearly not so. Every CIO would be the first to admit that some of his systems are more mission-critical, some less so. Chances are that there are systems around which are barely necessary at all. Of course, this problem is not unique to password aging, as many other security requirements are applied in a blanket fashion. However, it is dangerous. It doesn't encourage employees to be 'more careful' of the system that really do carry the business forward. Instead, it irritates them and the end result is that they are more casual.
  2. It forces people to take drastic action, such as writing the password down. This is obviously dangerous given the likelihood of someone discovering that writing.

In fact, what this nets out to is the issue of `stability'. I have always believed that for a software system to become useful, it has to become stable — which means changing it as little as possible. Password data, in the same way as the source code of the system, is susceptible to this. When people have stable passwords, they know the system should work. They won't have to suffer the pain of a system which locks them out once again because they forgot their password, and they won't have to contact the helpdesk to have it reset. They are also more likely to take the `risk' of using more complex, and thus harder-to-crack, passwords. In short, this makes the system more secure, not less.

I welcome your opinions.

Other Opinions on the Same Topic