One of the biggest problems with changing passwords too frequently is that users invariably will forget the new one. Wouldn't it be nice for administrators if they could simply teach users how to construct a stronger password, and then get them to stick to it? Constantly changing complicated passwords causes users to write them down on sticky-notes where others may see them. The reality is if an attacker has a system's password hashes to crack, they already have the access needed to steal data or whatever it is they are up to. Also, once a password has been cracked, the attacker is likely to use it right away - not three weeks down the road.
As Microsoft indirectly points out, companies would save enormous amounts of money if they didn't have to dedicate administrative hours to resetting passwords just as frequently as the policy requires them changed.
However the reality is there are various industry standards that mandate policies on frequent password changes. The bigger your organization is, the more likely you are bound to one of them. This is unfortunate, and thus a well-meaning policy ends up costing companies more than the risks it supposedly mitigates.
No comments:
Post a Comment