It is somewhat common knowledge that every now and then you should reset/change your password. The idea behind it is pretty obvious, which is that by having a password that you’re constantly changing, hackers will have a hard time trying to figure it out and you will always be keeping them on their toes.Makes sense, right? However according to a recent post (via The Register) by the GHCQ’s Communications-Electronics Security Group (CESG), it seems that they want you to stop resetting your passwords, claiming that this only ends up costing resources and also makes it very inconvenient for ourselves.
According to their post, “The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember. While we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.”
Basically this will end up with users forgetting passwords and forcing service desks to reset them all the time, thus wasting time and resources in the process. The alternative is to create a system where it shows when the user has last logged in, thus allowing users themselves to flag if there is a login time that they do not recognize. The only problem we find with that is that by then, it could already have been too late, but what do you guys think?