A couple of years ago, my workplace implemented a new password policy, requiring users to change their passwords every 3 months, not allowing the use of previously used passwords, imposing minimum password lengths, etc. Pretty standard stuff, really, and completely ineffective at actually securing data from unauthorized users.
If you stop to think about it, most data thieves acquire a password, log into a system, and raid the hard drives of all their worth. Very rarely would they come back to hit the same target again. By the time the 3 month window rolls around and the user changes the password, that thief and the stolen data are long gone. You’ve changed the locks on the stable door after the horses are stolen, and although you may have now prevented your next barn-full of horses from getting taken the same way, your original horses are still out there in someone else’s pasture.
Ok, that analogy starts to fall apart there when you start comparing the various merits of horses and proprietary data, but you get my drift. A silly policy, and one that gets even more frustrating now that my workplace has also set up machines so that the screen-saver comes on after 5 minutes inactivity and requires you to log back in to unlock the system. Not only does this make Netflix watching very difficult (hey, not during work hours!), but those first few days after you change your password, you’re sure to type the wrong (old) one at least seventeen different times before your muscle memory finally gives out and your fingers start to learn the new password.
A better solution than “changing the locks” every 3 months involves making the login process more difficult to copy by an unauthorized user. Nowadays, experts have pretty much settled on Two-Factor Authentication as the generally accepted best practice for login protection (analogous to having to swipe a key-card and pass a retinal scan to open the lock on the aforementioned stable door). By combining something you have (e.g. key fob, smartphone, etc.) with something you know (e.g. a password), you can prevent others from impersonating you in the event one of the two factors is compromised. If you then make the password strong enough, there’s absolutely no need to regularly change the password, and you can keep the same one indefinitely unless you suspect it may be lost/stolen.
So why won’t my workplace adopt Two-Factor Authentication instead of this silly change-every-3-months policy? Like most initiatives, it comes down to cost and convenience. Two-Factor Authentication requires hardware in the form of tokens or key fobs, along with a server to authenticate against. For those engineers at the company that travel internationally and don’t always have guaranteed internet access, you run the risk of “locking out” these users until they can get back on the net. And of course, if they lose or break their key fob, you can kiss your computer goodbye until the office can drop-ship a replacement to you in the Middle of Nowhere, India, or Unapproachable Except By Pack Mule, Algeria.
All these adoption issues can be solved, of course (and likely have been already). But when your IT folks have to answer to a budget and corporate environment more concerned with meeting the letter of the law than the intent, you end up doing the bare minimum, infuriating all employees in the process. It looks like for the time being, I’m going to be stuck coming up with new passwords every three months for the foreseeable future. Hmm, I wonder if they’ll allow “monkey” or “12345678” for my next super-secure password?