Yesterday my mother in law asked me to help her. She couldn't log in to the web-application she needed for her work. Turns out that the password policy requires that the password must change every month. After some explaining and demonstrating the problem was solved.
It is a good idea to change your passwords after a certain amount of time. It is more secure: if you ever lose your password, someone else can only use it for a certain amount of time. On the other hand: If there weren't any password policies that would require us to change our passwords, would we change them? I think not. I use a lot of password, have a lot of accounts (too many!), and can't remember all of them. For example: I need at least 4 different passwords to do my job. The ones I type in every day I can remember, but having to change them annoys me. The logical thing to do, like a lot of my colleagues do, is number them or use the number of the month in which the password is changed. But this creates an unsafe, guessable, password. It is impossible to have a safe password and remember it after every change. People will write it down or use e less safe password, which makes the whole thing less secure. And password safes aren't applicable everywhere.
Wouldn't it be a better idea if the password policy doesn't require you to change your password, but requires a certain strength level? My password is like the key to my house. I have two locks to enter, so I need two keys. Both locks and keys have a certain level of strength to resist a break in attempt. I guard my keys quite well, because I don't want anyone to break in to my house. I am able to think of a strong password I can remember. If I know the risks of breaking in, I will protect my password. Of course we need other security measures the keep criminals from stealing my password, but these are always necessary.
I'm thinking that a required password changes doesn't increase security, but keeps security on the same level or even decreases it. Any thoughts, anyone?