• United States



by Sandy Kendall

Do Password Policies Comply with Security, or Just Security Auditors?

Feb 02, 20042 mins
CSO and CISOData and Information Security

According to a one-week quick poll on, 45 percent of organizations require network users to change their passwords every quarter. Thats in line with password policies at the Maui High Performance Computing Center, the University of Kansas Medical Center and many other repositories of sensitive information. Thirty percent require a monthly password refresh.

But a surprising number (18 percent) of organizations leave password changing up to the users discretion, and almost 10 percent require change only annually or semi-annually. Sounds a little lax by comparison. But, in reality, is that so bad?

Theres an enigmatic equation here, a risk management brainteaser. If you require users to change passwords every three months, and follow reasonably rigorous password criteria (e.g., eight or more characters, nonalphabetical characters, no dictionary words or proper nouns, etc.), it becomes increasingly hard for users to recall their passwords. Particularly for users who have multiple passwords for multiple systems. This leaves the forgetful or the sensory overloaded worker two alternatives. They can obediently update passwords but breach security another way by recording their passwords somewhere (computer file, paper file, sticky note). Or they can make frequent help-desk calls (which by some estimates cost about $25 a pop).

Neither of these are very good options. Keeping passwords for longer periods of time may alleviate the problem somewhat. But, password aging, as one CSO reader recently wrote to us, makes an easy check-box on an audit or due diligence report. In other words, it looks really bad to have old passwords. And sometimes what looks good is more valued than what works.

Have you run into conflicts with real versus checkbox security in your organization? Do your password policies work, or invite more trouble than they prevent?