According to a one-week quick poll on CSOonline.com, 45 percent of organizations require network users to change their passwords every quarter. Thats in line with password policies at the Maui High Performance Computing Center, the University of Kansas Medical Center and many other repositories of sensitive information. Thirty percent require a monthly password refresh. But a surprising number (18 percent) of organizations leave password changing up to the users discretion, and almost 10 percent require change only annually or semi-annually. Sounds a little lax by comparison. But, in reality, is that so bad? Theres an enigmatic equation here, a risk management brainteaser. If you require users to change passwords every three months, and follow reasonably rigorous password criteria (e.g., eight or more characters, nonalphabetical characters, no dictionary words or proper nouns, etc.), it becomes increasingly hard for users to recall their passwords. Particularly for users who have multiple passwords for multiple systems. This leaves the forgetful or the sensory overloaded worker two alternatives. They can obediently update passwords but breach security another way by recording their passwords somewhere (computer file, paper file, sticky note). Or they can make frequent help-desk calls (which by some estimates cost about $25 a pop). Neither of these are very good options. Keeping passwords for longer periods of time may alleviate the problem somewhat. But, password aging, as one CSO reader recently wrote to us, makes an easy check-box on an audit or due diligence report. In other words, it looks really bad to have old passwords. And sometimes what looks good is more valued than what works. Have you run into conflicts with real versus checkbox security in your organization? Do your password policies work, or invite more trouble than they prevent? Related content news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Vulnerabilities news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management news Cybersecurity experts raise concerns over EU Cyber Resilience Act’s vulnerability disclosure requirements Open letter claims current provisions will create new threats that undermine the security of digital products and individuals. By Michael Hill Oct 03, 2023 4 mins Regulation Compliance Vulnerabilities feature The value of threat intelligence — and challenges CISOs face in using it effectively Knowing the who, what, when, and how of bad actors and their methods is a boon to security, but experts say many teams are not always using such intel to their best advantage. By Mary K. Pratt Oct 03, 2023 10 mins CSO and CISO Advanced Persistent Threats Threat and Vulnerability Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe