{"id":9,"date":"2002-06-06T09:40:00","date_gmt":"2002-06-06T17:40:00","guid":{"rendered":"http:\/\/www.netjeff.com\/wp\/?p=9"},"modified":"2007-12-30T16:58:03","modified_gmt":"2007-12-31T00:58:03","slug":"why-forcing-users-to-change-passwords-doesnt-solve-the-problem","status":"publish","type":"post","link":"https:\/\/www.netjeff.com\/wp\/?p=9","title":{"rendered":"Why forcing users to change passwords doesn't solve the problem"},"content":{"rendered":"<p>I hate policies that say that users have to change passwords periodically because that way the system is \"more secure\". Bruce Schneier has discussed this a few times in <a href=\"http:\/\/www.counterpane.com\/crypto-gram.html\">Crypto-Gram<\/a>.  I also like this recent <a href=\"http:\/\/slashdot.org\/comments.pl?sid=33700&amp;cid=3644938\">post<\/a> on Slashdot by <a href=\"http:\/\/slashdot.org\/%7Edangermouse\/\">dangermouse<\/a>:<\/p>\n<blockquote><p>That is the single most hare-brained bit of common security \"wisdom\" in the world.<\/p>\n<p>Years ago, I picked a password that's random as hell and was very difficult to remember. No password cracker&#8211; dictionary *or* brute force&#8211; has broken it yet. I use this password on about ten systems.<\/p>\n<p>If I changed those passwords on a regular basis, I'd have to come up with something easier to remember to make up for the decreased learning time. That would likely make my password less secure.<\/p>\n<p>I keep running into admins who&#8211; by hook or by crook&#8211; make their users change passwords periodically. The result? Passwords on Post-It notes; passwords that are the names of pets or wives or firstborn children; sets of passwords that are absurdly simple and that get cycled through.<\/p>\n<p>If they had just let the users keep their original passwords and run a cracker against the shadow file to turn up the overly simple ones, their systems would be a lot more secure. But somebody told them changing passwords frequently was a good idea, and by god their users are going to change passwords frequently.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>I hate policies that say that users have to change passwords periodically because that way the system is \"more secure\". Bruce Schneier has discussed this a few times in Crypto-Gram. I also like this recent post on Slashdot by dangermouse: That is the single most <a class=\"more-link\" href=\"https:\/\/www.netjeff.com\/wp\/?p=9\">Read More &#8230;<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-9","post","type-post","status-publish","format-standard","hentry","category-tech"],"_links":{"self":[{"href":"https:\/\/www.netjeff.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.netjeff.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.netjeff.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.netjeff.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.netjeff.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9"}],"version-history":[{"count":0,"href":"https:\/\/www.netjeff.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.netjeff.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.netjeff.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.netjeff.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}