Changing your Password – Not why you Think

Another story comes my wayfrom the Boston Globe, this time – talking about how we shouldn’t be bothering to change our passwords, because it doesn’t significantly improve the chances that you’ll stop some attacker from abusing your account.

I have to repeat something I’ve said before – you don’t change passwords to prevent people from guessing them. If your passwords are that bad that they can be guessed, they will be guessed.

You change your passwords for the following reasons:

  1. Because you gave your password to five people in the last year, and you can’t remember who they were, or if they still work at the same company.
  2. Because you need to know that you can change your password without killing half the applications you’ve worked on.

Number 2 is the big one for me.

For most ordinary users, number 1 is the most likely to have an impact, but in IT shops, it’s not uncommon for IT pros and developers to have created a service or two bound specifically to their user account. Changing your password every 90 days allows you to remember that you created the service, and to either change its password manually, or (ideally) to move it over to a recognized and managed service account.

I’ve seen several – repeat, SEVERAL – incidents where a password was exposed, and the security team mandated immediate change, but the account owners refused, and fought all the way up the management chain. The reason they used for prolonging the fight was "we haven’t changed the password in so many years that we have no idea what will die when we change the password".

I view password changes now as a cheap piece of business continuity, to ensure that when a disaster (password exposure) happens, you can quickly carry on with a new password, rather than having to stumble along for weeks with a password that you know has been stolen and exposed.

I think that alone justifies changing passwords on a regular basis.

Zune HD 64 – up, down, up again

Much confusion and speculation abounds that there may be a Zune HD 64GB version – PC World says that it’s going on sale April 12 for $349.99, other articles in Engadget etc note that Zune.Net displays a link (not working at the time) to Zune HD 64. Possibly an early stab at an April Fools’ Day joke?


Apparently not.

The technical specs show no particular surprises. Double the capacity of the 32GB model – although both the 64GB and 32GB models are listed as having room for only 25,000 pictures. This doesn’t seem to be a misprint – the 16GB model has the same limit listed.

The 64GB model comes in black, or in the myriad of colours offered by Zune Originals. That could confuse people into thinking that you have the 16GB (also available by default in black).

Same size, battery length, screen size, resolution, etc, etc.

Whether or not this site goes down again in the distant future, it seems like we’re not to expect anything from the Zune 64 except double the storage.