I recently overheard a colleague mention that, in his opinion, the best form of password security for their enterprise is to not enforce monthly or quarterly password changes for their employees. His reasoning? Enforcing tough passwords and forcing your employees to change them periodically often forces the employees to write down their passwords (even sometimes posting them on a sticky note attached to their monitors or desks). This, in his opinion, is more of a security risk than not enforcing periodic password changes.
At first, I thought that this is one of the craziest ideas that I had ever heard. This goes against one of the most basic security principles out there…make your passwords tough and change your passwords often.
Upon further thought, I decided that the logic behind this idea makes some sense. Allowing your employees to maintain their passwords for an indefinite amount of time may help to alleviate those people that insist on writing down their passwords. This being said, I do not think that this is a viable solution. Whether or not you force your employees to change their passwords or not, there will always be those that like to write them down. In addition, the risk that you would take in allowing indefinite access through a compromised account would outweigh the risk of someone reading a password.