What About Recurring Password Changes?

Many system administrators have set policies in place that require regular password changes. Every six months. Every 90 days. Some even require a change every 30 days. Does this make sense?

In defense of system administrators (sometimes I am one), this is a reaction to otherwise bad password issues and it’s a probably failed attempt to have people keep their passwords to themselves. My guess is that it backfires as often as it succeeds.

Changing passwords frequently is a good idea if you use bad passwords. Or short passwords. Or reuse passwords across multiple sites. Or especially if you share passwords with others! Of course, if you’re one of the people who does this (none of my readers, right?), then forcing a new password frequently probably just exacerbates the issue without really solving anything, and maybe even further encourages keeping a list of passwords written down. Horrors!

And then there are things like Heartbleed that mess up everything! Even if you followed every great password idea, you’re suddenly at risk. The solution, of course, is to change your password. Sadly, you really need to. You did all the right things, and this silly bug forces you to make a change.

Suggestion: start planning now. Use the same techniques to generate your next core password, now. Be prepared when you need it.

Last Updated: 9/30/2014
All articles in this series on Passwords: