Users hate them. They're a massive headache to network administrators. But IT
departments often mandate them nonetheless: regularly scheduled password changes
— part of a policy intended to increase computer security.
Now new research proves what you've probably suspected ever since your first
pop-up announcing that your password has expired and you need to create a new
one. This presumed security measure is little more than a big waste of time, the
Boston Globe reports.
Microsoft undertook the study to gauge how effectively frequent password
changes thwart cyberattacks, and found that the advice generally doesn't make
much sense, since, as the study notes, someone who obtains your password will
use it immediately, not sit on it for weeks until you have a chance to change it.
"That’s about as likely as a crook lifting a house key and then waiting until
the lock is changed before sticking it in the door," the Globe says.