WSJ Article - Password Changes Thwart Security
Interesting read in today's Wall Street Journal. Most interesting is that consultnts push “change often“ mentalities on clients (as often as once a month), and companies that don't require PW changes are often those in the security industry, such as Fortinet. Bottom line from one consultant was it's better to have a PW someone can remember than to change them all the time and have the user write them on a sticky note.
Security experts have long recommended that computer users choose hard-to-break passwords and change them frequently in order to frustrate hackers. Now, those recommendations are being newly forced on millions of U.S. workers in the name of preventing financial fraud under the Sarbanes-Oxley corporate-reform act.
...
No matter that Sarbanes-Oxley doesn't actually require changing passwords: In the name of those "internal controls," auditors and consultants are prodding companies to require that employees pick tougher passwords, and change them more frequently.
But the zeal for impenetrable computer systems rubs up against the limits of human systems. To cope with repeated changes to multiple passwords, many users adopt strategies that actually thwart security.
...