Good Password Practice: Not the Golden Globe Award


The Boston Globe suggested  that changing passwords is a waste of time, based on their interpretation of an article by Herley Cormac. Cormac's paper – well worth reading, by the way – reinforces a point that has been made many times both by me and by the "user education doesn't work" lobby. While I don't believe that education is useless, I do agree  that end users tend to ignore a great deal of security advice because there's too much of it, it's often contradictory, and strict adherence to draconian policies makes their online experience more frustrating than it need be.

As it happens, I'm not huge fan of over-frequent changes of password, though it's really a matter of context. Sometimes you need a one-time pad, which is essentially a password that changes every time it's used: However, there is an issue in that rigorous enforcement of password changing tends to encourage end users to adopt avoidance strategies.

I was going to post at some length here on the topic, but I noticed the post at, so I blogged something at AVIEN ( instead.

You might find a paper Randy and I did last year useful reading: There's also a paper I presented at EICAR some years ago that I quoted at some length in the AVIEN blog. It isn't currently available on the web anywhere, as far as I know, but I plan to fix that shortly. :) [Update: now available from]

Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter:;
ESET White Papers Page:

Securing Our eCity community initiative:

Also blogging at:

Author David Harley, ESET

Follow us

Copyright © 2015 ESET, All Rights Reserved.