Change passwords when there is a specific reason to do so.
Changing passwords whenever there is a specific reason to believe
that there is an exposure is clearly a sensible idea. But if carried
to extremes may be too expensive for the level of the exposure. This
approach calls for knowing when an event has occurred and what systems
may be affected by it. Examples of events causing obvious exposures
include the movement of an employee from one job to another, a known
computer break-in, or a change in key personnel. In each case, access
in excess of that necessary for the users' job functions are caused by
their ability to access accounts using known passwords. Figuring out
which systems may be affected is somewhat complicated by
interdependencies of systems and commonalities between systems. For
example, if a file server password is exposed, it may affect all of
the systems that use that file server. If the same user has access to
multiple systems, they likely use the same or similar passwords on
many of those systems and all of those systems are therefore
exposed. There are many other similar examples.
Change passwords at convenient system changeover times.
There is nothing inherently wrong with this practice, and indeed
all new systems should have all user passwords initially set to
non-default values. But this does not address the other exposure
issues and is thus of limited value.
Change passwords at regular intervals.
This is recommended by most security standards and thus widely
accepted. There are, however, some problems with changing passwords at
regular intervals. Some of the major problems include:
The basic reason to change a password is that the password in question may be known to an unauthorized user. The period of time between when an unauthorized user knows a password and when the password is changed represents a period of exposure to attack. The goal of password changes is to reduce this exposure. It is also important to consider that a fairly short exposure period can cause high consequences. In many cases, within seconds to minutes of an initial break-in, "back doors" are put in place to allow reentry to the system even if the passwords are changed. For this reason, simply changing passwords may not be an effective action when an exposure occurs.