
Study: Frequent password changes are useless - bluesmoon
http://news.yahoo.com/s/ytech_wguy/20100413/tc_ytech_wguy/ytech_wguy_tc1590
======
j00lz
The majority of users in my experience just increment the last digit in there
password by 1 each time they are forced to change it.

------
DilipJ
Personally, I've lost access to more accounts due to forgetting the password
rather than having those accounts be accessed by outsiders. So I agree with
this study's conclusions.

------
j_baker
The most odd thing is that _Microsoft_ undertook this study. My experience has
been that Active Directory can be made to enforce the most sadistic of
password policies.

~~~
sriramk
I think a lot of that is what companies _want_ to do with AD. I doubt MSFT is
in the business of deciding what people's password policies should be (apart
from picking a sane default).

I do think passwords today fail basic usability tests. Having people remember
random long, frequently changing strings of letters and numbers is a recipe
for disaster. Its sad that we as an industry haven't thought of something
better.

------
dreaming
This makes me wonder what would happen if you could have a company 'salt'
which is known internally throughout and organisation and added to the end of
your password, each month it changes... everybody would know the extension to
their password (no forgetting) but it would make it difficult for outside
brute force attacks, while making your password no less secure internally...
or so my half asleep thoughts appear to suggest (of course, if somebody
internal had already compromised your password it wouldn't help, but
presumably at that stage its game over)

~~~
eru
Trivially broken by social engineering.

~~~
jared314
All passwords are trivially broken by social engineering.

~~~
eru
But seldom by a class action break.

------
TallGuyShort
I disagree

>> someone who obtains your password will use it immediately, not sit on it
for weeks until you have a chance to change it

True, but I've personally seen several cases where someone's email or facebook
account was being used for unsolicited advertising and pornography, and they
didn't even know it. They may use your password immediately, but they may also
use it for a long time before the average person realizes it.

Furthermore, their conclusion was justified purely by economic motives - about
how much financial damage is done by cyberattacks, versus time spent changing
passwords. There's no mention of the obvious privacy concern when a spammer
has your password - regardless of the financial damage they may or may not do.

~~~
Qz
_...regardless of the financial damage they may or may not do._

From what I remember from another article on here, most of the time it is the
banks/etc that are liable when someone is the victim of identity fraud, not
the victim (like a 50$ maximum liability or something). The banks don't give a
crap about keeping your money safe, it's about keeping _their_ money safe.

------
robobenjie
"writing them on sticky notes attached to their monitor, about the worst
possible computer security behavior you can undertake."

Really? The way I understood it, if a person has physical access to your
machine it is game over. How often does a would be hacker come wandering past
your cube? Maybe I'm missing something but I keep all my passwords in a little
book in my home, and feel pretty safe from hackers. I suppose a thief could
break in and get them but why not just take my physical stuff then?

~~~
daemin
The other difference is that the password on the sticky note is not actually
for the computer, but is used to access network resources which probably are a
more tempting target for someone to get at. So even though they have physical
access to your machine, they will still need to get the password to access the
resources on the network.

Still regardless having the password there on the monitor is an utter failure.

------
ratsbane
Link to the original article:
[http://research.microsoft.com/users/cormac/papers/2009/SoLon...](http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf)

------
bwag
I've always thought the reason behind changing your password frequently was to
thwart brute force attacks? Is that not the case?

~~~
jules
Can you explain why changing your password would thwart brute force attacks?

