I plan to spend some time looking at all the stuff surrounding password expiration policies, so consider this post the first in a potential series.
What is a password expiration policy? It is a set of business rules, possibly codified in a written procedure, that governs account passwords.
Let's say that on January 1, I establish an account with a certain password. 80 days or so later (assuming a 90 day password expiration policy), I'll get messages saying that I need to change my password in 10 days. Some time within the next 10 days - possibly on the 9th or 10th day - I bite the bullet and change my password.
90 days later, the process repeats itself. I think to myself, "Well, I'll just switch to the password that I was using on January 1." No, no, the system might say; you cannot reuse your previous password...or your previous 4 passwords...or your previous 16 passwords.
Let me tell you a story - in essence, the reason why I wanted to write this series in the first place.
Eleven years ago, I set up a free account with a popular website that provides business information. This put me on the website's mailing list, but I frankly haven't been to the website itself all that often.
"Hmm," I thought to myself, "this website provides useful information. Perhaps I should visit it more often." So, for the first time in...well, in several years, I went to the website and logged in, using my password that I established oh-so-long ago.
And I got the following message:
Your Password has expired. Your password must be changed every 90 days for your protection. Please provide a new password below to access your account.
For my protection. We'll get back to that, I'm sure.
In the meantime, I was thinking to myself. "If I want to commit to accessing this website again, I'm going to have to change my password again and again. Do I REALLY want to access this website THAT badly?"
The answer was no.
Now I just have to stop the emails from the website - or, if the website makes it too hard to do so (what if I have to login to stop the emails?), then I'll just block them. The website will never know the difference, and won't realize that I have intentionally stopped visiting the site because password hassles weren't worth the trouble.
Thrown for a (school) loop
-
You know what they say - if you don't own your web presence, you're taking
a huge risk. For example, let's say that you decide to start the Red Green
Compa...
4 years ago