Password expiration - The dirty little secret

Andy Pedisich   June 11 2009 06:00:00 AM

There's a fun axiom that states, "Security and convenience have an inverse relationship."  The more secure you make your environment, the more inconvenient  it is to use.  Make passwords weak and guessing is easy,   Make them really strong and people will write them on post-its an stick them on their screens.

Strong or weak, most domains don't require password to change often enough to suit me.  Some don't require changing them at all.  In a couple of domains I've had the same password since my ID was created years and years ago.

And it hasn't happened only with my Notes id either.  I've had corporate account active directory passwords, AIX passwords, and even VPN passwords that are still the same for many years.

Clearly, there are enterprises that serious as a heart attack about password management.  I do work with shops that do enforce reasonable password strengths and reasonable password expiration periods.  Kudos to you. This post clearly isn't about you.

If you're an administrator for Notes or otherwise and you and your users are still using the original passwords you handed out when you created their IDs, then shame on you!  There are built-in processes for managing passwords in Notes.  Open the manual.  Read it.  Do something about it.  Please.

Having easy passwords that don't expire is like leaving the key to your house under the door mat. It's just a matter of time before you find an unwanted guest going through your sock drawer looking for spare change.

- Andy
Comments

06:00:00 AM June 11 2009