As someone who is nerdily proud of her ability to remember dozens of passwords, I was interested to read a Microsoft study which says that changing your password frequently – something that people in offices and other organizations often find themselves obliged to do – might not actually be necessary.
So, how did the researchers come to this daring conclusion? Well, they maintain that computer users in general have a bad reputation for security. They use crappy passwords, forget to change them and ignore security certificate warnings. So, can we conclude that most people are stupid? Not so say the Microsoft researchers – people don’t care because the relative advantage is so small. In other words, it’s just not worth the effort:
It would be hard to claim that good security practice wasn’t a pain in the neck at times, especially in situations where you use multiple passwords or have to change them frequently. Checking all those security certificates and examining unknown emails for signs of phishing can be boring – not to mention making you feel a little paranoid. So, does that mean that we should abandon them?
Absolutely not! As I read in one blog post comment, most people don’t get into car wrecks, but the vast majority of us wear seatbelts. Ok, so the precise dangers of riding in a car are well documented – and the dangers faced by computer users unfortunately aren’t – but basic, low-level computer security isn’t a chore at all. A password manager here, a glance over website security information there and you’re done.
Sure, Windows’ incessant “would you like to change your password?” messages are irritating, but that’s your employee’s prerogative, not yours. Sorry for being a party pooper, but if your company gets hacked or a disgruntled employee accesses sensitive information, you can be fairly sure the money it takes to repair the damage isn’t coming out of your payslip. Until it is, I’m afraid you’re just going to have to change your password when Vista tells you to!