Should We Reset Every Password Every Three Months?

Wednesday, May 21, 2014 - 10:48 AM

(Dev Arka/flickr)

So WNYC, our parent company and benevolent overlords, has set its IT policy such that we are required to change our passwords every three months. and it drives us nuts. It feels like our internal communications are low-stakes enough and WNYC is a not particularly valuable target. But considering how frequently passwords are compromised these days, maybe this should be applied to all my online accounts, not just my work account.

This was prompted by the news that eBay is requesting that every single user reset their passwords after a hack. Which comes on the heels of the myriad passwords that I had to change in the wake of Heartbleed's exposure. This is becoming a somewhat regular occurrence, or at least regular enough that I find myself doing it fairly frequently.

But by waiting until a hack occurs, I'm potentially putting myself at risk. Especially since companies sometimes wait weeks to disclose data breaches. As someone who uses eBay maybe once a year to buy records I can't find at the record store, I would never have changed my password had I not happened across an article about it this morning.

The best existing version of this right now are programs like 1password, but it makes sense that some kind of password management database come native with operating systems, allows you to encrypt your passwords, and prompts you to update them within a given period of time. Of course that requires you to have a certain amount of faith in companies not to peek at your password, and recent news has shaken that faith

In a solid year's worth of hacking news, one thing has become abundantly clear to me: it is up to me, the end user, to be smart and careful about the way I secure my data. Because the companies I deal with as a consumer are doing a piss poor job. So when I think about it, WNYC's draconian password changing policy is actually pretty sensible.


More in:

Comments [3]

Eric Goebelbecker

Forcing people to change their passwords frequently leads to insecure passwords being left on post it notes in offices, and any one really familiar with security knows that this is as dangerous, if not more than, an online breach.

Forcing users to change their passwords every three months is the computer security equivalent of taking laptops out of carry-on luggage and putting your shoes on the conveyor belt.

If you use a password manager (I think lastPass is a lot easier to use than 1Password) and have it generate a different password for each site, the effect of a breach on any one site is limited.

Of course none of these tools work on a computer logon, so people end up using less and less secure passwords each quarter, especially since the default Windows settings don't let you recycle passwords.

May. 21 2014 12:14 PM
Derik from PA

I highly recommend LastPass for your password management needs. You can use it cross browser/OS and desktop/mobile. Also it's security is such that even if they are hacked your passwords won't be exposed.

May. 21 2014 12:04 PM
JeffZ from SF

This is such a good example of letting the perfect be an enemy of the good. Nobody, nobody, nobody can manage to change all 4,915 passwords so frequently. I can hardly manage the ones I have, and I'm already ignoring the similarly insane suggestion that every single one of those 4,915 passwords be different. When you add into the mix the fact that most services (banking, email, etc) lock you out of your account if you enter the wrong password three times, AND the fact that you are prohibited by decree of Almighty God from writing your passwords down anywhere, the insanity of the situation is obvious. It's nice to have access to password-management programs, but I don't trust them any more than I trust ebay to keep anything secure.

May. 21 2014 11:41 AM

Leave a Comment

Email addresses are required but never displayed.

Supported by

Embed the TLDR podcast player

TLDR is a short podcast and blog about the internet by Meredith Haggerty. You can subscribe to the TLDR podcast here. You can follow our blog here. I tweet @manymanywords and @tldr.

Subscribe to Podcast iTunes RSS