Why the 90 Day Rule for Password Changing?
I consistently find passwords one of the most challenging part of any awareness program as we have to teach people a patchwork of confusing rules. These rules can include always use long, complex passwords, never share your passwords, unique passwords for every account, never write your password down, be cautious of personal questions, and more. To make matters worse, not only are different people teaching different rules, but those rules change over time. *sigh*
One of the key guidelines of changing behavior is focus on the fewest behaviors that address the greatest risk. When you take this approach, you will soon find the hardest part about effective awareness is deciding what NOT to teach people. For example, a frustration of mine is the old adage always change your passwords every 90 days. Why? This rule may have had value eons ago, but let's take a look and see what the value (and costs) truly are.