Microsoft Researcher Cormac Herley: Frequent Password Resets are a Waste of Time

Last Updated Apr 20, 2010 8:19 PM EDT

If your company is anything like mine, you need to change your PC's password every few months. The new password must conform to a slew of rules, and it can't be too similar to the last few passwords you've used before.

And, says Cormac Herley, principal researcher for Microsoft Research, it's all a waste of time and money.


In the recent Boston Globe story Please do not change your password, Herley says that the time cost of forcing all these frequent password changes far exceeds the current cost of actual cybercrime, meaning we cost ourselves more than the criminals we're trying to thwart.

For example, the story says:

The annual cost nationwide as a result of phishing attacks is $60 million. For banks, the greater potential for damages comes not from a phishing attack itself, but indirect expenses. Herley used Wells Fargo as an example. He wrote that if a mere 10 percent of its 48 million customers needed the assistance of a company agent to reset their passwords - at about $10 per reset - it would cost $48 million, far surpassing Wells Fargo's share of the $60 million in collective losses.
So what's the bottom line? Giving up on passwords? Of course not -- indeed, Herley has some specific recommendations:

Always use strong passwords, such as the kind you can easily get from a homemade substitution cypher.

A corporate policy of frequently changing passwords is pointless, since it relies on criminals waiting to use a filched password until after they are routinely reset, which is not likely to happen.

Install the latest anti-virus software to shield against viruses and spyware, and be sure it is set to auto-update. [via Gizmodo]