As you may or may not know, I will be attending Valparaiso University this Fall as a Freshman.  When I attended Valparaiso’s Freshman orientation program, they taught us a lot about their online systems.  One thing I learned was that I will need to change my password every 185 days, and when I change it, it can’t be similar to whatever I had last time.  The idea here is that this will be more secure, because hackers will never know your password for an extended period.  However, I see a problem with this.

Forcing me to change my password to something completely different means forcing me to memorize a new password, something completely different, too.  Now, personally, I don’t think this will be much of a problem, because I’m pretty good at memorizing things.  However, if you aren’t that good at memorizing, this could cause a big problem: the urge to write down your password.  As anyone could tell you, writing down a password immediately creates a security risk, because anyone could see it written on a piece of paper, or take the paper, etc.  The safest place for a password is in your brain, and in your brain only.

So, is forcing users to change their password really more secure?  For some people, I think it will help, but I think it’s a practice that could only hurt others.  A better idea would be to enforce good password practice: have users create a nice, good length, password, containing at least one letter, number, capital letter, and special character.  Want to go for more security?  Force it to start and end with a letter.  Don’t just let the user tack an exclaimation mark on an otherwise easy-to-guess password.

Overall, I don’t think there will ever be a formula for password security.  There is no one end-all be-all tip I can give for keeping your password away from hackers.  Perhaps forcing people to change their password every x days really does help security.  But, I’d like to see some concrete proof of this before I believe it.