Tuesday, September 6, 2016

#empoexpiire An opposing view in praise of password expiration

If you know me, you know I'm not a fan of forced password expiration. However, I figured that I'd share this argument from a discussion of the 2012 Dropbox breach. After recommending that people not use the same password on multiple accounts, author Warwick Ashford said:

The breach only affects those Dropbox users who have not changed their passwords since 2012. By changing passwords regularly, even if breaches occur, they will be useful to hackers only for a limited time.

Businesses that force employees to change passwords regularly will also have reduced their exposure if any employees had used the same password for their Dropbox account, as well as any internal or other business-related accounts.

According to a TeleSign report, 47% of online account holders rely on a password that has not been changed for five years.

This does not negate what I've previously noted - people who are forced to change their passwords end up choosing simple, bad passwords - but it is something to consider.
blog comments powered by Disqus