One of my favorite “fables” from my friend Peter Beddows tells the story of a family that always cut inches off the ends of the ham before cooking. The inquisitive young daughter asked why, but the only answer seemed to be that it was a long-standing technique passed on for generations. They finally asked the great-great-grandmother, who explained that it was – at the time – the only way to fit the roast in her small turn-of-the-century oven.

The reason I bring this up is because I was recently faced with a “why do I have to change my password?” question from my users. Armed only with a standard – though unsatisfying – answer of “it’s a best-practices methodology”, I wondered if maybe I had been sucked into a common tradition of the masses without any rational thought behind it. Was I throwing away some perfectly good meat just because “that’s the way we’ve always done it”? I decided to investigate further.

While everyone seems to agree that strong passwords are important, I have found nothing to indicate that password rotation is mandatory for any standards compliance, whether SOX, CObIT, or ITIL. It is often cited as a best practice, but there are a growing number who would disagree and argue that constantly forcing users to change their password is actually counter to good security. If people change so often that they cannot remember, then re-use and handwritten notes expose the accounts more than if left alone.

Those also argue that the frequency of change has no relevance as a preventative measure against any hacking method, whether brute-force cracking or social engineering. And frequency is indeed a consideration, as the conventional wisdom of the “best practice” has seemingly shrunk from yearly to bi-annually to, in many cases, monthly.

In the end, the only reasonable answer I could rationalize was one of administrative practicality. Any standard will dictate that the IT organization must maintain adequate controls on the management of accounts/data, and must periodically review and adjust the rights of the user base. Since it is, sadly, often common for sysadmins to be lagging or left out of the loop entirely when it comes to timely notifications of user turnover, ensuring that abandoned accounts automatically expire is indeed the ‘bestest’ of all best practices.