What happens when your user changes his password?

You just forced the user to change his password; periodic password changing is good policy, right?

Now lets see what happens next:

  • The user sends the password to himself by email, in plaintext, so he won’t forget. Now it’s in his inbox, viewable on the email ‘preview’ section to anyone shoulder surfing
  • He then writes it on a post-it note. The cleaning person threw out the previous password (but that’s ok, he finally remembered it). Now there’s a post it with the password in the top right drawer
  • He then sends it to his wife/friend/colleague who also uses the account sometimes. Now it’s in another person’s inbox, again in a preview pane. He might have typed their email wrong and sent it to someone else by mistake, or maybe they put it on a post-it note too
  • The next time he tries to login he will use the old password (that he remembers) and fail. Your system will lock him out, and he will call to have it released. Another false positive that makes the person auditing the log for lock outs not pay attention to the warnings
  • He will then sign up to the new and cool social web site and use this last password as his password there. It’s already on the post-it note: Why write another? This new social web site will soon be cracked and your user’s password will be available online

Remind me again why changing passwords periodically is good for security? Oh, I get it. You were just living up to the bad reputation and preventing ease of use.


  • Sceptic

    You are just taking the worst possible scenario at every step of the way and considering that as the only thing that happens.

    Maybe if you have a point to make, you should have put that in the post as well?

    • Aviram

      If you think those are the worse possible scenarios, you haven’t been working with ordinary users much.

  • http://durdle.com/ Howard Durdle

    All those steps are plausible, but I wonder if anyone has done any studies to back up our experience with more rigorous data? What % of users perform one or more of those actions? Which industries do they work in – are some industries better than others? Do intelligence scores or professional qualifications correlate at all with tendency to make bad security decisions?

    As a security professional I know what I believe to be true based on my experience, but I have no hard data.

  • justin

    this is attitude is why #5 is effective.

    • Aviram

      Very true.