Don’t change unless you have to:
The long accepted mantra of change your password frequently has had it’s day. CESG have issued a document called Password Guidance – simplifying your approach. It’s not a new document, the copyright statement just says 2015, but it contains stuff I hadn’t heard ANY IT Manager; CIO or Public Sector Exec. say out loud.
Regular password changing harms rather than improves security…
There’s a more recent article “The problems with forcing regular password expiry” published earlier this year explaining their reasoning. No shit Sherlock, almost all the best luminaries of the security world have been saying this for years. Ant Allan from Gartner wrote a paper about it ages ago (10 years possibly), but time and time again I see the same old stuff being trotted out because some Infosec consultant mandated it, ‘force everyone to change their password regularly every 30/60/90 days‘. Don’t.
I’m not a great fan of passwords anyway, as I’ve said before in a previous article “Passwords Forget Them“, but if you’re going to use them do it properly.
Better still use a solid 2FA system, Google Authenticator if it’s a personal issue, especially your primary email account, and something like Gemalto’s Safenet Authentication Service if you’re doing this at a corporate or organisational level.
Come talk to me about 2FA !