FRAMINGHAM (02/13/2004) - According to a one-week quick poll on CSOonline.com, 45 percent of organizations require network users to change their passwords every quarter. That's in line with password policies at the Maui High Performance Computing Center, the University of Kansas Medical Center and many other repositories of sensitive information. Thirty percent require a monthly password refresh.
But a surprising number (18 percent) of organizations leave password changing up to the users' discretion, and almost 10 percent require change only annually or semi-annually. Sounds a little lax by comparison. But, in reality, is that so bad?
There's an enigmatic equation here, a risk management brainteaser. If you require users to change passwords every three months, and follow reasonably rigorous password criteria (e.g., eight or more characters, nonalphabetical characters, no dictionary words or proper nouns, etc.), it becomes increasingly hard for users to recall their passwords. Particularly for users who have multiple passwords for multiple systems. This leaves the forgetful or the sensory overloaded worker two alternatives. They can obediently update passwords but breach security another way by recording their passwords somewhere (computer file, paper file, sticky note). Or they can make frequent help-desk calls (which by some estimates cost about US$25 a pop).
Neither of these are very good options. Keeping passwords for longer periods of time may alleviate the problem somewhat. But, password aging, as one CSO reader recently wrote to us, "makes an easy check-box on an audit or due diligence report." In other words, it looks really bad to have old passwords. And sometimes what looks good is more valued than what works.
Have you run into conflicts with "real" versus "checkbox" security in your organization? Do your password policies work, or invite more trouble than they prevent?