Should We Reset Every Password Every Three Months?
Wednesday, May 21, 2014 - 10:48 AM
So WNYC, our parent company and benevolent overlords, has set its IT policy such that we are required to change our passwords every three months. and it drives us nuts. It feels like our internal communications are low-stakes enough and WNYC is a not particularly valuable target. But considering how frequently passwords are compromised these days, maybe this should be applied to all my online accounts, not just my work account.
This was prompted by the news that eBay is requesting that every single user reset their passwords after a hack. Which comes on the heels of the myriad passwords that I had to change in the wake of Heartbleed's exposure. This is becoming a somewhat regular occurrence, or at least regular enough that I find myself doing it fairly frequently.
But by waiting until a hack occurs, I'm potentially putting myself at risk. Especially since companies sometimes wait weeks to disclose data breaches. As someone who uses eBay maybe once a year to buy records I can't find at the record store, I would never have changed my password had I not happened across an article about it this morning.
The best existing version of this right now are programs like 1password, but it makes sense that some kind of password management database come native with operating systems, allows you to encrypt your passwords, and prompts you to update them within a given period of time. Of course that requires you to have a certain amount of faith in companies not to peek at your password, and recent news has shaken that faith.
In a solid year's worth of hacking news, one thing has become abundantly clear to me: it is up to me, the end user, to be smart and careful about the way I secure my data. Because the companies I deal with as a consumer are doing a piss poor job. So when I think about it, WNYC's draconian password changing policy is actually pretty sensible.