At my job, I am required (by Windows Domain Policy implemented by our system administrator) to change my password every 45 days.  I understand the mentality behind forcing password changes on a regular basis.  Changing your password on a regular basis means that if your password is ever compromised it’s only compromised until the next password change.  Unfortunately, if a person is required to change their password too often, more than likely they’ll make it something easy to remember as opposed to making it a password that’s difficult to crack.  I’ve found that changing my password every 3 months is a good balance for me.

Like most of my generation, I use the Internet for a LOT of things.  I have accounts on numerous websites (some I don’t even remember).  So believe me when I say, I’ve seen some pretty ridiculous password policies.  I’ve seen:

• sites that require 1 capital letter, 1 number, and 1 special character, but only allow a password to be 8 characters long,
• sites that require 1 capital letter, 1 number, and 1 special character, but the number can’t be the first character and the special character can’t be the last character,
• sites that don’t broadcast the password policy, just tell you that you’re password doesn’t fit,
• sites that have a max length for the password but don’t tell you, and there is no error when you set it.

and these are just a few of the more ridiculous ones.

Implementing policies like this can lead to security breaches or lax password management.  For instance, to circumvent the password policy at work, I wrote a batch script that would change my domain password a specified number of times (this is because in Windows you can set a policy to keep password history and disallow you from using the same password within the history, in my office its 25) and back to the original password.

A friend and I schemed up an idea for password policy a few years ago.   First off, there is no policy with regards to minimum length, required character sets, or placement of characters.  The enforced changing of  the password would be dependent on the strength of the current password.  If you have a weak password, you’ll have to reset your password sooner.  If you have a ridiculously strong password (64 characters with alphanumeric and special characters including capital letter and minimal entropy, because that’s how I roll) you would never have to change your password.

I suppose the moral of my story is that password policies can be good if implemented sanely.  If not, they can cause more problems than they prevent.  In short:  password policies GOOD, moronic IT managers BAD