How often should passwords be changed on a Microsoft business Network?
by Matt Logan – Aug. 2009
Ultimately password change intervals come down to balancing administrative burden and risk. Changing passwords frequently is definitely wise from a security perspective but it doesn’t come without cost. The more frequently you change passwords the greater the headache. There are other considerations that managers should know about as well. Let me explain.
There are two ways to change passwords, forced or on demand.
Forced – Password policies can be implemented either globally (all users) or selectively (in groups) that will force users to change their passwords every X number of days. Most companies wishing to implement this will choose a value between 45 and 120 days. This isn’t much of a problem except that people forget their passwords more often as a result of changing them regularly. People forgetting their passwords creates a small tech support burden.
On Demand – Any in-house (non-remote) user can change their password at anytime simply by hitting “Cntrl-Alt-Del” and choosing “Change Password”. While it is possible for remote users to do this, depending on connection type, the user may require a few minutes of training. Logging completely out of the system and back in is always recommended after changing your password.
NOTE – “Cntrl-Alt-Del” and choose “Change Password”
Please also consider these three questions.
1. What is the degree of risk from internal employees knowing one another’s passwords?
2. What is the degree of risk from ex-employees knowing the passwords of those with remote access capability?
3. What is the degree of risk from internet based persons/threats?
Because of these questions, changing passwords is a necessary evil and should occur at some regular interval either manually or with automated policy. Keep in mind that users can be grouped and different policies applied to each. If you choose not to implement an automated password routine then you should at least change them anytime you feel you have a problem with #1 or #2. Businesses with high turnover and liberal remote connectivity policies should be especially concerned about changing passwords regularly. For businesses without these problems #3 is likely a greater concern. For #3 there is a new firewall device made by Calyptix which addresses internet based threats much more thoroughly than a conventional firewall.
Read more about the Calyptix device on our “Security” related pages.