Slashdot Mirror
How Often Should You Change Your Password?
jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."
I've always thought the SecurID system was interesting. If you're not familiar with it (and are too lazy to click the link or google it), it involves a little keyfob receiver that displays the current numeric password. The numeric password changes every 60 seconds (which might be configurable at the transmitting end), and is meant to augment your existing credentials.