Forum OpenACS Q&A: Re: Interesting article on web based password protection

Posted by Andrew Piskorski on
Checking for strong passwords sounds good, but I never understood the attraction of expiring passwords.

Maybe I'm missing something, but let's see, the user thought up a good, hard to break password, and carefully memorized it, so he never had to write it down anywhere and risk compromising security. Now what do you do? A few months later, you make him do it all again - you punish the user for his diligence.

IMO, that path leads right back to passwords on post-its and passwords like "foobar123". If you're lucky, the clever user will subvert your (hopefully simple-minded) password expiry scheme and simply alternate back and forth between two good secure passwords that he remembers.