To change or not to change passwords

Published on 19.07.2018, by lubosdz

To change or not to change passwords

A lot discussion has been taken last few years regarding whether it is wise or not to enforce company security policy by enforcing password rotation (usually) every 3 months.

Camp #1 shouts "Yes, it's the right way, because people will never use strong passwords and their accounts is easy to guess."

Opposite camp #2 shouts "No, it's wrong, because it becomes impossible to remember strong passwords in a time - so people are forced to write it down somewhere .. security compromised!"

I've experience with both camps - hacked accounts due to silly weak passwords, but also got frustrated from regular changing passwords in corporate applications.

After all, I figured out best compromise - and I believe this should be generally the right way to apply security policy:

  1. use tool to measure properly password strength (see list bellow)

  2. for STRONG passwords offer the possibility to extend rotation interval from default 3 months, to optionally 6-9-12-24-OFF months (yes, including turning rotation off). User should be advised about security risks and disabling password rotation should be confirmed twice.

  3. for passwords of MIDDLE STRENGTH, allow extending rotation period from default 3 months to also 6-9-12 months. Don't allow disabling password rotation.

  4. weak passwords should not be accepted, of course.

I believe when the password is like "my1superSecureTIP-TOP:password!" there is no reasong to enforce changing it in 3 months again, it just becomes contraproductive.

That's all to say. Oh yes, here's list of few libraries for measuring password strength:


Leave your comment..
Email will be converted into something like [michael AT gmail DOT com]
Note: Offensive and unrelated comments will be deleted.
Please enter result from the picture above.