Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Does forcing users to change passwords more frequently really amount to increased security?

www.lepide.com

Passwords have for a very long time been used to prove identity and authenticate user access to resources. As time has gone by, to increase security we have made password requirements more complex and frequently changing passwords a necessity.

However, in the pursuit of better security we have ignored the very fact that made password-based security preferable over other approaches – its simplicity.

Asking for increasingly complex passwords and then forcing the user to change them frequently undermines the fundamental principle on which password security is based. Compelling users to produce a higher volume of increasingly complex passwords often means the passwords are not as easily remembered and many users have to resort to noting down the password which can then be easily compromised.

So should we force users to change passwords?

The other day I was scanning different user forums for the answer and came across this thread on Spiceworks. IT administrators across the globe appear to be divided on this matter, while many express reservations about the effectiveness of forcing users to change passwords, there are others who are advocating it. Here I have compiled the most important responses of these admins to give you an overview of opinions:

Going by the responses of IT managers it appears that though forcing users to change their passwords is no guarantee of security, nevertheless, administrators still follow this practice to ensure security of Windows network as they don’t have any other choice. Bio-metric authentication like fingerprint based login may demand additional investment, but is not only more secure but also reduces help-desk calls, and so may prove economical in the long run.  Till then it appears reasonable to ask users to change their password at more sensible intervals.