Forcing users tp change their passwords is not effective
At a company I consult for, they change the password every month. Not on all systems but on at least two (both Windows). It's a pain, what's worse is that changing passwords regularly doesn't work. Here are my pet peeves for usenames and passwords:
- User names or passwords that can't handle "special" characters. I like to use special symbols like @ or % but a lot of sites don't permit that.
- User names or passwords that have a limited maximum length. Why can't I have a password thats 200 characters?
- Passwords that are a fixed length. This actually makes it easier for someone to guess your password.
- Passwords that can only be numbers, people end up using their birthday or social security number.
- Passwords that can't be cut and pasted. Banks sometimes do this because they are afraid of keyloggers. I'm not against that if you are checking your account from an internet café, but if you are on a trusted computer why not allow cutting and pasting a password?
- Usernames that are assigned. Companies often do this. Sometimes one part of the same company gives you skirkwood another part kirkwood and another one scott. A company I work for it's easy to guess a username since they are all numbers are are given out serially.