12 February 2005
One of my recurring arguments with auditors and some security staff revolves around how to secure passwords. They often push for a variety of measures, many of which I think are counterproductive and actually decrease any protection a password might offer. One of the worst offenses is the requirement to force a password change on users on some regular schedule. Last year I enjoyed a minor victory here at the U when I was able to convince the auditor, the head of network security, and the CIO that we didn’t have to require 180 day auto-expiring passwords on machines with private data.
In documenting that case I pointed to a few articles including this PDF and a few ACM articles not available on the open web. Today I learned of a different article devaluing the password, that of a Microsoft security staff member arguing for long pass phrases instead: why you shouldn’t be using passwords. I found this article on Slashdot which also included interesting comments and a link to an earlier story on the site.