Are Often-Changed Long Passwords Really Secure?

Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?" "I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?

Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"

Desk

[maeka]

As long as they don't check the post-it note under your desk - the password is secure!

But seriously, does a policy like this do anything but encourace people to write down their passwords?

Complexity or Quantity

[Fatchap]

Is the problem not that your password has very strict complexity requirements but that there are too many of them?

I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly. They suggested a pass phrase as the way forward. Perhaps something along the lines of "I love /. last month I posted 10 times" this fulfils all requirements for complexity and is changeable and easy to remember.
The other solution I often tell people is make your passwords a personal acronym, who would guess "Il/mIp10t" as a password, yet it is easy for me to remember.

passwords....

[DarKry]

Honestly this whole password thing is idiotic. Companies are finally answering to the security risks of ten years ago. At this rate by 2010 they will be fixing sql queries based directly off user input. when it comes to cracking/stealing a persons password the best method now days is always to steal. It doesn't matter if your password is 3 pages long if you give it to me I will be able to log in as you. strong passwords are only as good as the minds of those who use them. Add to that the fact that the longer and more complex a single password is, the more likely the employee is to use that password in multiple places. Lets say I want access to a companies VPN, even if I don't know how strong the passwords are, connecting and trying a bunch of easy ones would be pretty dumb. Instead 5 minutes on google will tell me the name f Joe Blow who works there, what his email address is, and a whole bunch of things that he is interested in. So I email Boe Blow with targeted spam, tell him about this amazing new website that just happens to be a community of people with exactly the same interests as him. He goes there and finds out that he needs to set up an account to view the forum. So he has this 10 page password from work that he has already memorized anyway (he wouldn't want anyone breaking into his forum account) so he goes ahead and puts it in the password field. Turns out the forum kind of sucks so he promptly forgets about the site. TADA VPN access, and it only took 20 minutes. This works more than 50% of the time, and the average company has a few more than 2 employees. Watch 90% of the people who see this change their slashdot passwords. :)