Three months change password can really improve the security of information?

How long have you not changed the password of the bank card? If the bank lets you change the password for three months, and the new password cannot reuse the last 5 used passwords, will you be mad?
Recently I implemented a project, a large number of users complained about the information system three months to change the account password strategy is very troublesome, even "harassment." Three months of time passed quickly, the user had to re-modify the password, and according to the information System password complexity requirements, "can not reuse the last 5 used password", so users have to create a lot of infrequently used and difficult to remember the new password, it is easy to forget the password, have to re-apply settings, The experience is really bad for the user, and it's a nuisance for normal work.

three months to change the password can really improve the security of information? in a way, such a password policy can indeed reduce the risk of loss of information, for example, the hacker obtained or cracked the user's password in some way, he can access the system within three months, but after three months, the password will expire, Enterprise/ The loss of the user's information ends there. But is that really the case? Microsoft several years ago a research report: Frequent password changes is useless

Microsoft undertook the study to gauge what effectively frequent password changes thwart cyberattacks, and found that the A Dvice generally doesn ' t make much sense, since, as the study notes, someone who obtains your password would use it Immediately, not-sit on the IT for weeks until you had a chance to the change it. "That's about as likely as a crook lifting a house key and then waiting until the lock was changed before sticking it in th E door, "the Globe says. On the bright side, changing your password isn ' t harmful, either, unless you use overly short or obvious passwords or you ' Re sloppy about what you remember them. (Many users forced to change their password too frequently resort to writing them on sticky notes attached to their Monito R, about the worst possible computer security behavior you can undertake.) rather, frequent password changes is simply a waste of time and, therefore,money. According to the Microsoft researcher ' s very rough calculations:to is economically justifiable, each minute per day Computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual saving s from averted harm. No one can cite a real statistic on password changes ' averted losses, but few would estimate it's anywhere approaching $16 Billion a year.

personal point of view, for the enterprise internal Information System, regular password change may be necessary, but it really does not need to be three months in such a short time, we need to find a more appropriate balance between security and user experience, appropriate relaxation standards are very necessary.
Recommended reading: study:frequent password changes is uselessHttp://web.archive.org/web/20100423185209/http://news.yahoo.com/s/ytech_wguy/20100413/tc_ytech_wguy/ytech_ wguy_tc1590Why does we annoy our users?http://www.sicpers.info/2010/03/why-do-we-annoy-our-users/ Your passwordhttp://web.archive.org/web/20100414135812/http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/ Please_do_not_change_your_password/?page=fullWhy changing Your passwords Often could be a waste of timeHttp://lifehacker.com/5966214/how-often-should-i-change-my-passwordsHow does changing your password every-days increase security?http://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security

Copyright NOTICE: Reprint Please indicate the source by the link form

Three months change password can really improve the security of information?