Or getting off the password merry go round…
I’m not sure how this happens, but there are certain months where a good proportion of my passwords rollover. Of course password rollovers are one of those entrenched security ‘good ideas’, and you’d assume it makes us more secure? Well no, unfortunately it has entirely the opposite effect.
In practice constantly rolling passwords ensures that people don’t have their password for long enough to memorise, so they then have to store it somewhere. Which makes your system way more vulnerable to social engineering style attacks, you know like looking inside people’s desk diaries, or peaking underneath their phones, or running a search for a file called ‘passwords’ on their home machine.
Constant rollover’s also make people use more easily memorised and usually therefore more vulnerable passwords which makes your system more vulnerable to offline password guessing attacks. Small side note, adding in ‘secret questions’ only compounds that vulnerability. Oh and contrary to popular belief the traditional response of requiring the password to be longer makes the situation even worse as for longer passwords people are much more likely to use more memorable number sequences like 1234567 which again are vulnerable to offline guessing attacks. There’s a good article here by Bruce Schneier on the general subject of passwords and their selection.
Of course if you want to know how folk who are really, really serious about security handle passwords you need look no further than the banks where a randomly generated four digit non rotating pin numbers validated by the Visa method is just about as good as it gets. As for the rest, security theatre than impresses management but does worse than nothing in reality. I have found though that you can never convince those Oompa Loompa’s of the IT department, because hey, they’re IT specialists who know all about this sort of stuff, right?
So, you might ask, how do I manage my passwords? Pretty simple, I use an app to generate a short (4-5 digit) random password (text and numbers) then store said password in an encrypted digital safe, Bruce Schneier’s Password Safe is a good example, and I only change a password if I think it’s compromised.
P.S I forgot to add don’t use a single password (apart from the one for your password safe) across multiple systems, because that behaviour really does make you vulnerable.