Every time I start in a new organization, I spend some time to sit down and make a very strong password. The kind of password I would trust my retirement savings to. I'll sit down and dedicate a solid 30 minutes to transforming a bizarre but easy to remember phrase in 20-30 special characters with abbreviations instead of full words. Then I'll spend the time to commit it to muscle memory. I've done this probably 30 times over the past 20 years.
60 days later, maybe I make another new very strong password. 60 days after that, it's 8:15 and my computer is forcing me to update my password and I have an 8:30 meeting and now my password is asdfg;lkjh. 60 days later it's asdfg;lkjh1. And so on.
Password expiration dates are one of those things that just don't work with human beings. It's the "work harder, not smarter" approach to security. Somebody wrote it down once, and now everybody who came along later copied the same bad checklist and added more bad things to it. Instead of working to improve the practical security of their system, they work to adhere to their arbitrary checklist. It only makes sense from the most cynical Dilbert perspective.
Every time I start in a new organization, I spend some time to sit down and make a very strong password. The kind of password I would trust my retirement savings to. I'll sit down and dedicate a solid 30 minutes to transforming a bizarre but easy to remember phrase in 20-30 special characters with abbreviations instead of full words. Then I'll spend the time to commit it to muscle memory. I've done this probably 30 times over the past 20 years.
60 days later, maybe I make another new very strong password. 60 days after that, it's 8:15 and my computer is forcing me to update my password and I have an 8:30 meeting and now my password is asdfg;lkjh. 60 days later it's asdfg;lkjh1. And so on.
Password expiration dates are one of those things that just don't work with human beings. It's the "work harder, not smarter" approach to security. Somebody wrote it down once, and now everybody who came along later copied the same bad checklist and added more bad things to it. Instead of working to improve the practical security of their system, they work to adhere to their arbitrary checklist. It only makes sense from the most cynical Dilbert perspective.