I recently overheard a colleague mention that, in hisopinion, the best form of password security for their enterprise is to notenforce monthly or quarterly password changes for their employees.  His reasoning? Enforcing tough passwords andforcing your employees to change them periodically often forces the employees towrite down their passwords (even sometimes posting them on a sticky noteattached to their monitors or desks). This, in his opinion, is more of a security risk than not enforcingperiodic password changes. 

 

At first, I thought that this is one of the craziest ideasthat I had ever heard. This goes against one of the most basic securityprinciples out there…make your passwords tough and change your passwords often.

 

Upon further thought, I decided that the logic behind this ideamakes some sense. Allowing your employees to maintain their passwords for anindefinite amount of time may help to alleviate those people that insist onwriting down their passwords.  This beingsaid, I do not think that this is a viable solution.  Whether or not you force your employees tochange their passwords or not, there will always be those that like to writethem down.  In addition, the risk thatyou would take in allowing indefinite access through a compromised accountwould outweigh the risk of someone reading a password.  




More...

I suggest people use mnemonics to make passwords - like

"She'll be coming around the mountain when she comes!"

That could be a reminder for

S'bca7wsc!

or

!csw7ab'S

making a simple substitution of 7 for t


It's then relatively safe to leave a sticky with the phrase hanging about.

Of course the phrase should be longer, and can even get more creative - like embedding the password in the first and last column of a 4 line phrase

They are creepy and they're kooky,
mysterious and spooky -
They are all together ooky
The A-d-ams Fam-ily!

The password would be "'T,m-TyT!" (better text would make a better password).