A good password can last a lifetime, it is especially safe if it is only used for one account and it has been created using random letters, numbers and symbols. However, there is a growing trend these days where account users are regularly forced to change their passwords, in some cases this can be every fifty days. According to the Communications-Electronics Security Group (CESG) a department within the Government Communications Headquarters (GCHQ) forcing users to change their passwords regularly could be counter productive as these new passwords might have been used elsewhere, they are more likely to be written down and are more likely to be forgotten.
CESG now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.
This advice might seem to go against everything that the industry have been telling regarding online security, but when you think about it, a long established password that has served you well is doing the job and therefore surely there is no need to change something that is clearly working. For more details on this subject go to the Communications-Electronics Security Group (CESG) website.