Time-based (expiry) password enforcement leads to poor password choices
If you work for an organisation where someone else has some influence over the security of your account, you may be subject to a policy of password expiry. Every 30, 60 or 90 days, you receive a prompt that advises you to change your password - if you ignore it, the prompts get increasingly more aggressive - until one day you log in and you're forced to enter a new password to continue. Proactive account security is something I absolutely champion - but not like this. What's wrong with forcing regular password expiry? Passwords are a weak point of security, always have been - and until we rethink our approach to account security, probably always will be. But forced expiry has a similar effect on security as abstinence has on sex education. It looks like an idea that should be good, but it doesn't address the underlying issues. The weak link in this chain is us; users. We're told that we have to have at least 8 characters, at least one of those must be upper case, at lea