Expiration Of Passwords Is A Tired Idea

In response to Claudiu Popa’s Who Said Passwords Are Dead, Gnomie Jim Smith from Ancaster, Ontario writes:

While the suggestions in the column would certainly secure a network and
database, I must disagree with the real-life practicality of password expiry
on most networks. You emphasize that a strong password (mixed numerals, case,
etc.) is one of the best factors, but having these expire on a regular basis
without the ability to reuse them defeats the system. It takes time to create
a good password that one can remember without writing it down somewhere. With
passwords expiring monthly, most people will resort to trivial passwords that
are easy to remember, knowing that they are throw-away. I would much rather
have an automatic password approval process whereby a user is forced to choose
a strong password, with ALL of the recommended factors (case, numbers, etc.)
and ensuring that a common dictionary word or name has not been used. This
may take a few minutes for the user to be accepted to the system when joining
and choosing a password at the first occasion, but will ensure a much more secure
overall network. Having users choose a new password
monthly will only ensure that someone will resort to common words, thus
defeating the security. It only takes one lazy or frustrated user to
compromise the network.

Along with the suggestions in your column, the use of pass phrases (including
case, numbers, etc.) would add another level of password integrity. The old
networks that limit passwords to eight (or so) characters should be replaced with those
requiring longer passwords that will most certainly need to include a
multi-word phrase in order to meet the minimum length.