# The Myth of the Password Change

Eugene Spafford has a [recent blog post][1] on how security "best
practices" are often just myths that have been passed on over the
years, and have no current basis as a true best practice. The
example he gives is the required monthly password change, which is a
holdover from the non-networked mainframe days of old, and does
nothing to truly increase password security in today's world. He
recommends one-time passwords or two-factor authentication (tokens):

> In summary, forcing periodic password changes given today's
> resources is unlikely to significantly reduce the overall threat -
> unless the password is immediately changed after each use. This is
> precisely the nature of one-time passwords or tokens, and these
> are clearly the better method to use for authentication, although
> they do introduce additional cost and, in some cases, increase the
> chance of certain forms of lost password.

I mentioned previously how dangerous simple password authentication
was in the context of securing SSH servers. Spafford's article goes
into much more detail than I did on the risks of using passwords (I
only addressed one of his seven failure modes - cracking), it's
definitely worth reading if you are an admin.

[1]: http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/