Re: Don't Just Blame Users
"I understand that, my point was that if too-often password changes are mandated, the temptation is to use weaker passwords which are therefore more likely to be guessable. A slow password change policy, maybe even with auto-generated passwords, makes it more likely that the user will be willing to commit a strong password to memory, and make it less likely that that password is compromised between changes. I'm talking about someone trying to guess John Smith's passwords without any inside information."
But you assume people are guessing passwords instead of gleaning them. Mass guessing can usually be detected and noted as an attempt at an account (and handled accordingly), but an insider picking up on someone's password (reading the Post-It, for example) is much more insidious and the reason for change policy: because there usually won't be missed guesses in the latter, and since it's already internal, it's virtually indistinguishable from real attempts.
Biting the hand that feeds IT
