Why do I have to change my password every four months?

The main reason for regular password changes is to limit an account's exposure to misuse. Why every four months? Every time you type in your password it is at risk of compromise - by someone looking over your shoulder, through interception as it travels across the network, and so on. The more it's used the more opportunities there are for it to be disclosed inadvertently. Also, as noted below, certain types of 'brute force' attack - trying out every possible combination of characters to work out your password by trial and error - take time, especially for longer passwords. Regularly resetting passwords may prevent this kind of attack, or at least make it less attractive, given that the process will need to be repeated time and again. Resetting regularly also limits the damage that can be done without your knowledge, and helps to prevent continuing unauthorised use.

Of course, changing passwords too often can be counter-productive - people tend to forget them, or resort to less satisfactory ways of keeping track of them. Four months seems a reasonable compromise.

There are also good administrative reasons why forced expiration of passwords is desirable:

  • To enforce compliance with other new password controls. (Suppose, for example, that a new College policy requires all passwords to contain at least one punctuation character; expiring passwords allows the change to be brought in across the entire organisation within a fixed timescale.)
  • To help identify inactive accounts.
  • To help identify overactive accounts! (Resetting a password may uncover misuse; it may also identify legitimate but undocumented situations where an account is simultaneously being used by more than one person.)

In the light of the above considerations, forced expiration of passwords is considered good practice, and policies supporting such action are widely recommended (for example, in the British Standard Code of Practice for Information Security Management and in the US Processing Standards Publication 112 on Password Usage). University systems are increasingly subject to internal and external audit, and our systems managers are expected to demonstrate knowledge of and compliance with such standards.