#empoexpiire - When password expiration policies are self-defeating

I plan to spend some time looking at all the stuff surrounding password expiration policies, so consider this post the first in a potential series.

What is a password expiration policy? It is a set of business rules, possibly codified in a written procedure, that governs account passwords.

Let's say that on January 1, I establish an account with a certain password. 80 days or so later (assuming a 90 day password expiration policy), I'll get messages saying that I need to change my password in 10 days. Some time within the next 10 days - possibly on the 9th or 10th day - I bite the bullet and change my password.

90 days later, the process repeats itself. I think to myself, "Well, I'll just switch to the password that I was using on January 1." No, no, the system might say; you cannot reuse your previous password...or your previous 4 passwords...or your previous 16 passwords.

Let me tell you a story - in essence, the reason why I wanted to write this series in the first place.

Eleven years ago, I set up a free account with a popular website that provides business information. This put me on the website's mailing list, but I frankly haven't been to the website itself all that often.

"Hmm," I thought to myself, "this website provides useful information. Perhaps I should visit it more often." So, for the first time in...well, in several years, I went to the website and logged in, using my password that I established oh-so-long ago.

And I got the following message:

Your Password has expired. Your password must be changed every 90 days for your protection. Please provide a new password below to access your account.

For my protection. We'll get back to that, I'm sure.

In the meantime, I was thinking to myself. "If I want to commit to accessing this website again, I'm going to have to change my password again and again. Do I REALLY want to access this website THAT badly?"

The answer was no.

Now I just have to stop the emails from the website - or, if the website makes it too hard to do so (what if I have to login to stop the emails?), then I'll just block them. The website will never know the difference, and won't realize that I have intentionally stopped visiting the site because password hassles weren't worth the trouble.