Another story comes my way – from the Boston Globe, this time – talking about how we shouldn’t be bothering to change our passwords, because it doesn’t significantly improve the chances that you’ll stop some attacker from abusing your account.
I have to repeat something I’ve said before – you don’t change passwords to prevent people from guessing them. If your passwords are that bad that they can be guessed, they will be guessed.
You change your passwords for the following reasons:
- Because you gave your password to five people in the last year, and you can’t remember who they were, or if they still work at the same company.
- Because you need to know that you can change your password without killing half the applications you’ve worked on.
Number 2 is the big one for me.
For most ordinary users, number 1 is the most likely to have an impact, but in IT shops, it’s not uncommon for IT pros and developers to have created a service or two bound specifically to their user account. Changing your password every 90 days allows you to remember that you created the service, and to either change its password manually, or (ideally) to move it over to a recognized and managed service account.
I’ve seen several – repeat, SEVERAL – incidents where a password was exposed, and the security team mandated immediate change, but the account owners refused, and fought all the way up the management chain. The reason they used for prolonging the fight was "we haven’t changed the password in so many years that we have no idea what will die when we change the password".
I view password changes now as a cheap piece of business continuity, to ensure that when a disaster (password exposure) happens, you can quickly carry on with a new password, rather than having to stumble along for weeks with a password that you know has been stolen and exposed.
I think that alone justifies changing passwords on a regular basis.