From studies we've highlighted in the past, we know that most organizations do not require employees to change passwords. But is changing passwords a big deal, really?
That's a question that Bill Schneier set out to answer in his latest blog post, and the answer, which isn't as clear cut as would be nice for enterprise security, is "it depends."
On the one hand, changing passwords means that compromised passwords have an expiration date on usefulness to cybercriminals or outsiders. On the other hand, changing passwords often may lead employees to choose easier-to-remember (and less secure) passwords. However, this is not an inclusive summary of all fraud scenarios.
In the case of espionage or money theft, changing passwords often is not likely to prevent the crime, but is vital immediately after a crime has been committed. Recommendations, overall, include: