In spring 2009 I published an article in the Hoosier Banker magazine.
The article, entitled “Sometimes Say Never,” was a slightly humorous “manifesto” about the illusion of password aging as a control.
The issue seems to be rising again. It came up in a meeting with a client who forwarded me a link to another great article about password aging, by Christopher Null (the technology writer for Yahoo! News.) This one cites recent studies!
Meanwhile I’m hearing from people who have discovered my post. Not one e-mail has pointed out something I might be missing in terms of my reasoning. They are all saying “exactly” and “right on.”
We auditors are still compelled to require at least 90 days, because we don’t want another auditor to come behind us and ding our clients for not following that practice. If you digg these articles, maybe we can change the mentality rather than our passwords!
At the least, you now have at least two articles to hand out in your next examination exit interview!
Dan Hadaway CISA, CISM