In this post Prof. Eugene Spafford of Purdue talks about security and passwords. There are so many buzzwords and scare-tactic marketing in security that most of the non-technical people I know are reduced to the cyber equivalent of burnt offerings: they subscribe to some (often) dysfunctional security product and then cross their fingers. They don’t have the time and energy to understand where the threats are and how to avoid them (like using Firefox instead of IE, for example). This article briefly delineates the major threat modes for passwords and then offers some thoughtful advice.

I saw an RFP recently for an organization spread over several hundred locations with thousands of employees that required the system to ensure that passwords were changed every month and that no passwords were reused over a seven years. There is no better way to ensure that thousands of passwords are stuck on post-it notes on monitors or under keyboards.

As the good professor concludes:

In summary, forcing periodic password changes given today’s resources is unlikely to significantly reduce the overall threat — unless the password is immediately changed after each use.

Giving users suggestions for selecting passwords that are both memorable to the user and difficult to research, and letting them keep them for a lengthier will result in better security and fewer lost passwords.