On Fri, 08 Jun 2012 15:33:29 -0700, Hal Murray said:
Yes; of course if most of those accounts are moribund and unused then you don't need to change them so often, but the passwords you use frequently should be changed at regular intervals.
It's pretty commonsensical once the threat is understood.
Does anybody have a good URL explaining that idea? It's been kicking around for many years. I've never seen a convincing writeup.
Gene Spafford did a nice analysis of the *contrary* a while ago, that changing and expiring passwords is essentially useless against the current threat model (he was writing about mandatory changes, but all the arguments hold up just fine for "should be changed" as well): http://www.cerias.purdue.edu/site/blog/post/password-change-myths/ http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/