Tuesday, February 26, 2008

Changing passwords for security is a myth.

Today, my mail account at work was suspended because my password was expired. This is very ridiculous and not making sense that the system administrator of my work demands us to change the password every 6 months.

Look at the new password rules they defined.
Passwords

*Must contain at least 7 characters.

*Must contain characters from at least three of the following four categories:
English uppercase characters (A through Z);
English lowercase characters (a through z);
Base 10 digits (0 through 9);
Symbol characters (!, $, #, %).

*Changes will be required every 180 days.
You must wait for 8 password cycles to pass before re-using a password.

Do you think we can remember the password with these different characters? It will be changed every 6 months! This is the way too much. According to the Center for Education and Research in Information Assurance and Security (CERIAS) website, it has been demonstrated that
"Forcing periodic password changes given today's resources is unlikely to significantly reduce the overall threat - unless the password is immediately changed after each use."
The system administrator at my work is inhibiting our work with no good reasons. Of course, network security is a very important issue, however changing login passwords every 6 months does not increase the security at all. They should do better work on this.

No comments: