Users hate them. They're a massive headache to network administrators. But IT departments often mandate them nonetheless: regularly scheduled password changes â€” part of a policy intended to increase computer security.
Now new research proves what you've probably suspected ever since your first pop-up announcing that your password has expired and you need to create a new one. This presumed security measure is little more than a big waste of time, the Boston Globe reports.
Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "Thatâ€™s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in...
As a software professional, I agree with this study - changing passwords constantly does not improve security, and creates a situation where a predictable scheme has to be used to generate an acceptable and different password you can remember.
The best thing is to get away from traditional passwords entirely and use a public key infrastructure.