Mandatory Password Changes Costs Billions In Lost Productivity

Mandatory Password Changes Costs Billions In Lost Productivity

Big enterprises that force their workers to change their access passwords on a regular basis, and adhere to complex rules when they do, might be their own worst enemy. At least that’s how Boston Globe editor Mark Pothier sees it, and he cites a Microsoft research paper as part of his argument against that and other seemingly perfunctory IT rules.

We prefer using a solid root password and subtle variations to implement secure passwords, along with easy-but-secure browser tools. What does your own office require of your passwords, and do you think it helps or hurts? [Boston Globe via Gizmodo]


  • At my school we have to have 8 characters, one must be a capital, one must be a special character or number and it can’t contain our name. So i just use the same kind of string of passwords, for example,
    Username1, Username2, Username3, Username4

    I don’t know why the school even bothers with that level of security among students as it isn’t like any sensitive information is on our accounts.

  • This gets me thinking – why havent keyboards (and Windows) been extended to contain simple fingerprint reading devices for logging in? Or even a cheap USB device you can stick on the side of your monitor?

    Surely this would save millions of dollars in “Hey IT, I forgot my password” calls and means I’d never get that nagging change your password pop up box at work again!

  • Working in IT support for a ridiculously huge govt department (outsourced) I can say that the majority of calls we have are for forgotten passwords or locked accounts, either for the system, remote portals or applications. The main system requires a capital letter and number, and must be reset every 45 days. The amount of taxpayer money spent on these jobs is staggering.

    The fact is that there are just too many passwords in an individuals life to remember 100%, and there is always that one annoying program or website that restricts passwords to a format/char length that is completely different to what you use as a standard. I have to enter 6 user-name password combinations for the system and applications just to start in the morning, and they are all ‘supposed’ to be different passwords.

    One solution that I have seen implemented is a system where the users can have their passwords reset by colleagues, for instance sending half a password to each of two other people. This relies on accountability to ensure that it is used securely, as the person resetting the password takes responsibility for the security of it.

  • I don’t know how often we’re required to change it, but the main computer at my work is used by ~10 people. Nobody takes the initiative to change it, until we’re suddenly locked out.

    The worst is the stupid rules, we’re not allowed to use a password which has been used in the previous -24- passwords. Which has now resulted in us running out of the standard passwords everyone will know, and going to [unoriginal password]1 thru 4.

  • my uni cuts off everything but your actual account log in if you don’t change your password. I spent ages trying to work out why my internet was broken, checking my DNS settings- I had to use a lab computer to fix my laptop by changing my password.

  • everyone whinges about passwords and stuff and complain endlessly but do you want the alternative?
    If you don’t focus on why we have passwords, all you see is the PITA process of changing them. The amount of website passwords saved in browsers means that once someone is on the machine, everything is available.

    If someone logs onto a machine as you and accesses illegal or inappropriate material or even just information that you aren’t entitled you are going to have a devil of a time convincing the authorities that it was someone else..

    Sure, some password complexity is over the top but, frankly, they aren’t going away in a hurry…

Log in to comment on this story!