The Boston Globe suggested  that changing passwords is a waste of time, based on their interpretation of an article by Herley Cormac. Cormac's paper - well worth reading, by the way - reinforces a point that has been made many times both by me and by the "user education doesn't work" lobby. While I don't believe that education is useless, I do agree  that end users tend to ignore a great deal of security advice because there's too much of it, it's often contradictory, and strict adherence to draconian policies makes their online experience more frustrating than it need be.

As it happens, I'm not huge fan of over-frequent changes of password, though it's really a matter of context. Sometimes you need a one-time pad, which is essentially a password that changes every time it's used: However, there is an issue in that rigorous enforcement of password changing tends to encourage end users to adopt avoidance strategies.

I was going to post at some length here on the topic, but I noticed the post at http://www.eset.com/blog/2010/04/16/please-do-not-change-your-password-the-boston-globe, so I blogged something at AVIEN (http://avien.net/blog/?p=484) instead.

You might find a paper Randy and I did last year useful reading: http://www.eset.com/resources/white-papers/EsetWP-KeepingSecrets20090814.pdf. There's also a paper I presented at EICAR some years ago that I quoted at some length in the AVIEN blog. It isn't currently available on the web anywhere, as far as I know, but I plan to fix that shortly. :) [Update: now available from http://smallbluegreenblog.wordpress.com/2010/04/16/re-floating-the-titanic-social-engineering-paper/]

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://amtso.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
http://chainmailcheck.wordpress.com
http://smallbluegreenblog.wordpress.com/