Changing Passwords
Monday, February 15th, 2010Did you ever see the movie War Games? Great movie. Matthew Broderick and Ally Sheedy try to prevent the end of the world at the hands of a computer. In an early scene, our hero goes to the principal’s office in his high school. On the way in, he glances at a desk and there, on a sticky note, is the current system password. He later uses that password to change a grade from a “D” to an “A-”.
People do that sort of thing. Leave passwords on sticky notes, that is. I was interviewing for a tech support position some weeks ago and there, on the monitor, was a password on a sticky note.
Huge security hole.
The reason this happens is because people forget their passwords. And the reason people forget their passwords is because they get changed so often.
It seems to be gospel that for security, you have to change your password every so often. Not true. Do you change the locks on your car every so often? No. Why not? Because they’re good enough as they are.
The same is true for passwords and if you are in a position to set policy, stop forcing people to change their passwords every so often. Enforce strong passwords, yes. (See here for what I mean by strong.) But once they’re in place, leave them.
-LLiioonneell
Lionel Goulet
(781) 209-0856
Te Deum
