The Security Theatre of Repeated Forced Password Changes

Does forcing a person to change password often offer any real security?

Learn why unique key token generators should replace weak user passwords that need to be updated often.

Episode #11-47 released on July 20, 2021

Watch on Youtube
Download MP3 Audio

Many websites, applications and businesses have a password change timeframe where you are required to change passwords. Some can be every few weeks or months, some more often. Depending on the type of security needed, the IT department may require password changes more, or less often.

The question is, is that safer?

See, the issue is not having a person change their password, the issue is with what end users do when they change passwords. Ultimately the new password is a variation of the old passwords, and some will even rotate passwords making the account periodically less secure.

Then there is the aspect of recording previously used passwords indefinitely to try to fight password reuse, which is not as safe as you would think.

Think of it this way, forcing a user to change the password introduces a chance of locking out the user, too. Meaning there is more work to be done with IT, and there are better more secure options than forcing a password change.

We have had the ability to use two factor authentication for years now, it is not too complicated to use a similar system that allows you to use a per session unique key, and because the end user does not need to remember it or create it, it is more secure. And, that technology is not new either. RSA had key tag tokens for just this reason.

Let us be serious for a moment, a business or agency needing security, should invest in real security. Unique tokens are safer than reused or slightly modified passwords. If you need real security, take the password creation out of the hands of the end user and into an application. You can deploy unique key passwords with a login name and everything else is the same, only safer, because even a person looking over the shoulder of the user would not be able to login with the same token, they would have to gain access to the token generator the user has in their possession. And chances are, if someone has their phone stolen, they will notice.

So, do every user a solid, and stop asking us to change our passwords, it creates more work for you and offers extraordinarily little real-world security, it is more security theatre than actual security. If you need security, use a token generator instead.

Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net

Community Comments

Share your thoughts, opinions and suggestions

Login or Register to post Your comment.