Too many password changes

**BrilloPad** · 26 March 2009, 14:39

At clientco I have to chane all passwords every 3 months. I currently have 51.

**Mich the Tester** · 26 March 2009, 14:43

Originally posted by BrilloPad View Post

At clientco I have to chane all passwords every 3 months. I currently have 51.

So you probably bill at least a day every few months simply for changing passwords and updating the excel sheet listing them that you then leave on an unsecured network disk or USB so that any colleague can always access it to help you if you forget a password.

**AlfredJPruffock** · 26 March 2009, 14:44

Originally posted by Mich the Tester View Post

If you make people change their password every couple of weeks, doesn’t that lead to a security problem?

They’re likely to choose the name of their partner/home village/pet/themselves plus a number, e.g.
Pete1
Pete2
Pete3
and so on

If they are forced to bring some variety into it, i.e. not using words they’ve used before, they’re likely to write their password down, because they have to remember passwords for PC’s at home and work, passwords for apps, codes for stupid time reporting systems (that's another rant I've done earliler), pin numbers for their bank cards etc. The act of writing down the password is in itself another security risk.

I can understand the need to change passwords from time to time, but surely once every two weeks is overdoing it and actually lessening security?

Yes it is self-defeating.

Once a year is quite enough.

Generally these policys are a consequence of a very bitter IT manager who (having since left) dreams up draconic and very annoying measures just to get back at the 'those damn users'.

**minestrone** · 26 March 2009, 14:49

I end up forgetting the new one and have to phone up IT support.

**cailin maith** · 26 March 2009, 14:50

Originally posted by minestrone View Post

I end up forgetting the new one and have to phone up IT support.

Me too

**Mich the Tester** · 26 March 2009, 14:51

Originally posted by minestrone View Post

I end up forgetting the new one and have to phone up IT support.

That's what I've just done and it's become a two-weekly part of my routine; the only 'security' check they do is to ask for my postcode and house number, so anyone who knows my address can get into most of the systems at ClientCo. Clever.

In fact they've made it really easy by giving you a 'if you wish to reset your password' option on the helpdesk spoken menu, and as I understand it there are 4 people employed there to do nothing other than password resets. Shouldn't that be a sign that the 'policy' needs changing?

**original PM** · 26 March 2009, 14:53

I would have thought that if anyone seriously wanted to hack into the servers they would find a better way than nicking someones password.

Or am I just naive?

**Pinto** · 26 March 2009, 14:53

forgot my laptop password yesterday, and had to enter a new one given to me by phone. It was 50 characters long!

**Mich the Tester** · 26 March 2009, 14:55

Originally posted by original PM View Post

I would have thought that if anyone seriously wanted to hack into the servers they would find a better way than nicking someones password.

Or am I just naive?

Most security threats are internal and not from hackers; same as with shops, where most theft is actually committed by staff.

Too many password changes