Software Development Web Security

Forced password changes are not good security policy

For so long I have read and heard that a GREAT security feature is to force your users to change passwords every so many days/months. Linux even has a built in feature for this.

This is a really stupid idea for many, many reasons. #1 a password is a password is a password. If a hacker can guess one they can guess another. Simply forcing users to change passwords is a false feeling of security.

Another reason it is a piss poor idea is, users usually use another form of their password so they can remember it, which again solves nothing whatsoever.

Another reason this is a stupid idea is people will often forget their password.

Another reason this is a bad idea is because users usually either write their password down or store it in a regular note type program on their phone, more are using password saving software. I once used a password saver, it worked great it saved all my passwords… except for the password to unlock it. I quit using them after that. LOL

You can read more about the treacheries of forced password cycling here.

You will notice others say the same things and more here.

Even Microsoft realizes this is bad idea that should be left in the past.