Several places I have worked have implemented a security system of requiring employees to change their passwords frequently. The idea is simple. If your users change their passwords frequently, it is less likely someone might find their password and be able to get into the system. It makes a lot of sense when you think of it that way.
I tend to think the practice is counter-productive however. I personally have a couple passwords I like to use, can remember, that are very long, have multiple character-sets in them, numbers, letters, etc. However, at each company I have worked at I have come to realize I find myself using shorter and shorter passwords that I can remember and not forget, because I run out of the long ones I know and use regularly. I can almost guarantee no one will be able to break easily any of the long passwords I use. I cannot guarantee the ones I change frequently at the companies I work at won’t be cracked. I think it’s time companies like Microsoft rethink their frequent password-change strategy that they allow companies to deploy throughout the network. I think it encourages bad security.
