Reply to post:

Stop resetting your passwords, says UK govt's spy network


The advice is pretty sound, actually, even if I don't really trust the bastards giving it (stopped clocks and all that).

Forcing people to change their password every, let's say, 90 days makes it more likely they'll just stick a number at the end and increment it, which means if you break it once, you can probably break it again when the user changes it.

That gives a false sense of security, which weakens the overall system. And the forced-changes themselves add to that. If you're making users update their passwords it's because you think it's more secure. The thinking is that even if their password gets cracked thy intruder will only get a limited amount of time. In reality they get between 1 and 90 days, most likely somewhere in the middle. If you can find or do what you want within that sort of timeframe then you could probably never do it anyway.

It's the illusion of security, which is a weak point, and it pisses users off which leads them to be sloppy and resent any of the security stuff they have to put up with.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019