Do You Need to Change Passwords?

By: Absolute Team | 11/27/2010

From studies we've highlighted in the past, we know that most organizations do not require employees to change passwords. But is changing passwords a big deal, really?

That's a question that Bill Schneier set out to answer in his latest blog post, and the answer, which isn't as clear cut as would be nice for enterprise security, is "it depends."

On the one hand, changing passwords means that compromised passwords have an expiration date on usefulness to cybercriminals or outsiders. On the other hand, changing passwords often may lead employees to choose easier-to-remember (and less secure) passwords. However, this is not an inclusive summary of all fraud scenarios.

In the case of espionage or money theft, changing passwords often is not likely to prevent the crime, but is vital immediately after a crime has been committed. Recommendations, overall, include:

  • Only focus on changing corporate logins sometimes
  • Only change other passwords if you think a friend / ex-spouse, etc would abuse them
  • Don't bother changing your computer, financial or encyrption key passwords
  • A good password is more important than one which is changed often
  • Since a good password is hard to recall, write it down somewhere SAFE or use a program like Password Safe or 1Password
Financial Services