IMO, no. Changing passwords frequently only seems to exacerbate several (user) problems. The following behaviors need to be mitigated: password recycling between multiple accounts/sites and unwillingness to use complex passwords (because they are difficult to remember).
I encourage users to use complex passwords to the extent a site is able to do so, so if they can use a sentence of 100+ characters, they should do so. To remember that passphrase, I suggest the use of a password safe app on their smartphone and to not store the data in the cloud[1] if at all possible. I also advise that they use either 2 factor authentication for personal email if they want to deal with the hassle, or at least a complex password that was never used anywhere else. If a user is changing passwords frequently the likelihood that they repeat a password is only greater. Further, the likelihood that the password exists in a compromised password list somewhere is only greater. [1] This becomes a poor mans two factor authentication, something you have and something you know. You basically need the smartphone to get into the account, and if you don't store the data in the cloud you don't have to be concerned about your data being compromised, unless you lose your phone. And I tell users, "If you lose your phone, reset all passwords for high value accounts ASAP." On Mon, Aug 27, 2012 at 9:42 AM, Maglinger, Paul <[email protected]>wrote: > I know this has been discussed at length in the past here, but IMHO this > article provides the single most valid argument for changing passwords > periodically. Namely:**** > > "The whole password-cracking scene has changed drastically in the last > couple years," said Weir, the Florida State University post-doctoral > student. "You can look online and you can generally find passwords for just > about everyone at some point. I've found my own username and passwords on > several different sites. If you think every single website you have an > account on is secure and has never been hacked, you're a much more > optimistic person than I am."**** > > Great read! Thanks.**** > > -Paul**** > > ** ** > > ** ** > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Sunday, August 26, 2012 11:50 AM > *To:* NT System Admin Issues > *Subject:* Why passwords have never been weaker—and crackers have never > been stronger**** > > ** ** > > *Why passwords have never been weaker—and crackers have never been > stronger***** > > ** ** > > *The most important single contribution to cracking knowledge came in > late 2009, when an SQL injection attack against online games service > RockYou.com exposed 32 million plaintext passwords used by its members to > log in to their accounts. The passcodes, which came to 14.3 million once > duplicates were removed, were posted online; almost overnight, the > unprecedented corpus of real-world credentials changed the way whitehat and > blackhat hackers alike cracked passwords.***** > > ** ** > > http://arstechnica.com/security/2012/08/passwords-under-assault/**** > > ** ** > > This is a detailed article and a very good read about password security.** > ** > > ** ** > > ** ** > > *ASB***** > > *http://XeeMe.com/AndrewBaker***** > > *Harnessing the Advantages of Technology for the SMB market…***** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
