Social Question

Captain_Fantasy's avatar

Is changing your password at work every six months a waste of time?

Asked by Captain_Fantasy (11431points) May 3rd, 2010

I hereby challenge the conventional wisdom that changing your password often makes your computer more secure.

Seems to me that not changing your password every six months is less of a security problem than my neighbors who can’t remember their passwords and therefore write it down on a post in note that goes right on the monitor and every six months, those office neighbors of mine take down the post-it password and put up a new one, totally wiping out any security benefit gained by changing their password in the first place.

Observing members: 0 Composing members: 0

19 Answers

marinelife's avatar

Maybe, at some places, but it is a good system for preventing security breaches. I use variations or riffs on the same password that I rotate between for ease of remembering.

Captain_Fantasy's avatar

Easy for you to remember means easy to hack.

bongo's avatar

changing my password round would just end up with me blocking myself systematically from everything I have that requires a password. It would be more hassle going through re-setting my password every time i want to log in to something than making up an obscure password, not telling anyone it and sticking to it.

missingbite's avatar

@Captain_Fantasy The problem with changing too often is that many people make them too easy. (i.e Spring2010) I have had the same password on my computer for years and would venture to say it’s close to impossible to guess.

erichw1504's avatar

Six months doesn’t seem like a waste of time. Any more often, then maybe.

At my workplace, we must change our password every 90 days.

Steve_A's avatar

I think you should just come up with one insanely, ridiculous password and remember it.
If you are going to be hacked ,you will be hacked….like they sit there a play a guessing game, c’mon.

ValerieTeacup's avatar

Funny question! I don’t exactly think so. Well, maybe just a few 1–3 minutes? Depends on how you much you really spare your time to come up with a new password.
I assume that if you’ve already planned your future password and maybe memorized it (or most of it) in your head then there’s not much to worry about ‘cause you’ve got it and it’s settled.

Seaofclouds's avatar

When I had to change my password every 6 months at my old job, I would change it, then immediately change it back to the original password. If I didn’t do that, I would forget that it changed and end up locked out of my access to the computers (which isn’t good when you are a nurse and have patients to take care of right that minute).

Fyrius's avatar

On the subject of passwords, whenever I have to come up with one, I always ask myself two questions.
1. Is anyone even going to bother trying to break into this account?
2. Would I give a spam if they did?
More often that not the answers are “probably not” and “whatever”.
When it comes to changing the password periodically, I’d be tempted add as a third question:
3. How likely is it that someone would make serious long-term work of trying to break into this account, but need more time to figure out my password than the period between two passwords?
But I have the feeling that would probably miss the point. Because if anyone wants to break into your account, they’re not going to need over six months.

What exactly is the point, then?

Unrelated protip: use leetspeak in passwords, it makes them strong and easy to remember.

jaytkay's avatar

I change mine because I have seen passwords stolen from very sophisticated power users. I’m not worried about someone guessing it, I am worried I will get fooled by a phishing site.

For easy-to-remember but hard-to-hack passwords, make them long phrases.

For example: MyAuntElizabethJonesWasBornInMississippi

And I could put a picture of Aunt Elizabeth on the cork board as a password reminder.

LuckyGuy's avatar

Useless. It only affords more work for the IT department.

Fyrius's avatar

@jaytkay
Better example: My 4unt 3l124b3th J0n35 w45 b0rn 1n M1551551p1.
Or all together, My4unt3l124b3thJ0n35w45b0rn1nM1551551p1.

Heck, you could write that down and leave it lying around, and to anyone who doesn’t know what you did there it would seem like a jumbled mess of random letters and numbers that they’d need to copy character by character into the password field.

jaytkay's avatar

Better example: My 4unt 3l124b3th J0n35 w45 b0rn 1n M1551551p1

Better in the same way that putting steel plates over my apartment windows and fifteen deadbolts on each door would lessen the chance of a break-in :-)

Zen_Again's avatar

My birthday doesn’t change.

;-)

Fyrius's avatar

@jaytkay
Hey, you’re the one inputting a forty-letter password every morning. ;)
I only recommended using leetspeak. Which is in my opinion a much less bothersome method for strong yet memorisable passwords. I can read that sentence fluently. An advantage of being an old school internet nerd. :P

At any rate, a few numbers in your password are a good contribution, though. It makes it stronger than one made up of just letters. Or so I’ve heard.

hearkat's avatar

We have to change ours very often – they tell us it’s HIPAA regulations regarding electronic medical records. We can’t simply vary the same password either unlike @Marina… it has to be a completely novel combination (compared to the past 7 passwords!), and so it is difficult to remember. I have a list on my iPhone… which has a passcode lock, so it’s a bit more secure than a post-it on the monitor!

erichw1504's avatar

Press Any Key to Continue…

“Where’s the Any Key?”

Tropical_Willie's avatar

I worked at one place where you had to change every 60 days. I used a foreign word with a four digit number. We had an issue with the entire password system, I think someone was laid off in IT…. We had to go down in person to the Director of IT and give him the new password. He was scratching his head over my six letter foreign word and then gave him the four digit number.

tuxuday's avatar

Good question. I am in IT for nearly a decade now, so will try to answer the question.

Change password every X months/days is part of password policy. Password policy is normally accompanied by other such points as well.

Normally when you choose a password the “password strength” guides you to choose a password which is hard to crack by brute-force method.

Brute-force involves two main parameters.
1) Processing power available
2) Time

Ex. If i have a password which is say 3 chars in length. And a given system can translate password to a key(md5sum), say in 1 sec. Then it takes appx. 10 days for the hacker to try all possible combination, pow(94,3). It is generally agreed that if the password policy forces the user to change the password every 5 days, then the system is safe from brute-force hack.

Answer this question

Login

or

Join

to answer.
Your answer will be saved while you login or join.

Have a question? Ask Fluther!

What do you know more about?
or
Knowledge Networking @ Fluther