I recently entered into a discussion with my fellow network administrators about their having password change policies and realized that opinions vary greatly on the efficacy of the practice. We had a rather lively discussion and in the end we just agreed to disagree. I am interested in your views on this and would greatly appreciate your feedback in the comments. To get things started, here are my answers to the three questions above and my reasoning for those answers.
- I do not change my passwords on a regular basis because there is no need to. I use extremely strong passwords and store them in LastPass. My Yubikey gives me two-factor authentication for LastPass on non-trusted computers. The only time I have changed a password is when I have been forced to by some policy on the network, or in the case of unusual behavior that could indicate a potential compromise. I was recently notified that one of my email addresses was on a list of sites that had been breached, so I changed that account password immediately. So, the simple answer to this question is that I change my passwords only a reactive basis.
- On my network, I do not require users to change passwords. I emphasize to users that strong passwords are easy to create and remember and I help them do so. Forcing users to change them pretty much guarantees that they will choose something simple. A strong password is golden.
- Since I am the Network Administrator for my company, there is no policy forcing changing of passwords. And for my reasoning on this, I think it’s best communicated by saying I agree with this this article by Bruce Schneier.
What’s your take on the subject?