Wednesday, April 14, 2010

Duh, we already knew--regular password changes are useless!

screenshot of password protected screen
Another study that proves the obvious--research mentioned in today's Boston Globe article, "Please do not change your password," confirms that many of the most common security measures, such as regularly changing passwords, are a waste of time. Duh!

Microsoft conducted the study to measure the effectiveness of frequent password changes. Because users are often forced to change their passwords frequently, they're reduced to writing them on stickies slapped on their monitors. Not good. Not effective. Fail!

Many might be suspicious of the fact that it was conducted by Microsoft (but then, it undertook a similar study a few years ago, which was ignored); this may be the equivalent of a broken clock being correct twice in a day. Computer security expert Bruce Schneier said years ago that the advice given by Jesper Johannsen, urging folks to write down their passwords, was sound. However, Schneier suggests that you stick the information not on your monitor, but keep it on your person. Of course, if IT departments didn't keep asking people to change their passwords, encouraged people to create strong, yet memorable passwords), and updated the security features (firewalls) regularly, then users wouldn't feel a need to write down passwords.

Plain common sense, which is most uncommon.

*Isn't all the IT password scare talk negated by the ubiquity of "remember me on this computer" password overrides, which allows any nosy colleague blank access to your PC if it's selected? (On the Yahoo Mail screen above, that option is, thankfully, left unchecked.)

No comments: