How Changing Your Password Sucks

On The True Cost of Expiring Passwords

From “Archon”, a commenter on Bruce Schneier‘s 08/05/2016 blog article “Frequent Password Changes Is a Bad Security Idea” ( —

I work at a company that recently dropped its passwords from 90 days to 60 days. The solution for the people in the 61-90 range? Expire their passwords right now! Can’t have anyone violating security policy!

I told the PHB [1] this was a horrible idea, he did not listen. Now I have 1/3 of 2000 people calling me and very, very angry.

Archon’s anecdote is the real world.  Few people understand, or calculate, the True Cost of expiring passwords. Many sys-admins do.  Business weasels [2] and Dilbert’s pointy-haired manager [1] do not.

Consider this (not so fictional) user’s story:

Joe User (no sexism intended — “Joe” could be “Jo”) comes to work on his/her regular shift, and, as he does every day, turns to his terminal (usually, now-a-days, a terminal emulator on his workstation’s desktop, and could be in a cubicle or on the factory floor, etc.) to log(in/on)/sign(on/in) to his application computer system (Unix, Linux, OpenVMS, mainframe or other).  Note that computer access is essential to his work and job performance.

He enters his…
Username: juser

Password: **********

Bingo-bang!  Computer responds with “Your password has expired!
…and down goes poor Joe into the dreaded Password-Dialogue-From-Hell.


* Palms his forehead, raising a welt (this could be sufficient cause to file an accident report).
* Mumbles a profanity at the terminal.  Poor terminal (this also could be grounds for an incident report).
* Stares dumbly at the blinking cursor for some period of time.
* Swears again.
* Pushes his chair back.
* Stands up abruptly, causing his chair to tip over (possibly grounds for another accident report).
* Walks down the hall to the restroom, hoping to think of a new password.
* Returns from the restroom, thinking happily about his crafty new secret password.

* Notes that his terminal has timed-out.  Starts the whole log(in/on)/sign(on/in) process afresh.
* Is confused about whether to enter his old password again in response to the password prompt…
* While he’s thinking about this, his terminal session times-out again.
* Swears…
* Starts over again.
* Still confused, but says “To hell with it…” and enters his old password.
* Gets the “Please enter a new password:” prompt again.
* Has forgotten his crafty new secret password.
* Stares at the terminal for “a long time”…
* Terminal session times-out again.

* Curses… A prim, proper, timid yet politically-correct colleague across the aisle furtively files a formal online complaint against him.
* Starts over again.
* Recovers his train of thought from the restroom trip, and happily enters his crafty new secret password when the system demands “Please enter a new password:“.
* System responds: “That password is found in the proscribed dictionary.  Please enter a new password:
* Says “Huh?!?”
* System times-out again.
* Curses…
* Throws his pencil at the wall…
* P.C. colleague picks up the phone to call the designated HR representative for sexual harassment and workplace violence.

* Starts over again.
* “Please enter a new password:
* Types in the first thing that occurs to him.
* System responds: “Password is too easy to guess. Please enter another string.
* “…another string??!!! I thought this was a password thing…” Another profanity.
* System is really slow, so he has time to think up yet-another-password.
* Enters his new-new password when prompted “Please enter a new password:
* System responds: “The entered password does not meet complexity requirements.  Please enter a new password:
* Curses…
* Swears…
* Enters his new-new password when prompted “Please enter a new password:
* System responds: “Passwords may not contain profanity. If you persist, your violations will be reported.  Please enter a new password:
* Curses…
* Slams keyboard on desk…
* P.C. colleague calls the cops; a SWAT team is dispatched, but cannot get past the building entrance security guards.

* Calms down a bit when his PHB-Supervisor walks over to see what’s wrong.
* Takes deep breaths and explains his problem.
* PHB-Supervisor advises him to call the Help Desk.
* Calls Help Desk, listens to nine minutes of Karen Carpenter’s “Close To You”… mutters a counterpoint of profanities under his breath.
* “Hello, this is Roger in Kansas City, how can I help you?” (in reality, Rajesh in Bombay; he can tell from the accent).
* Explains his problem.  “Roger” doesn’t get it, and tells him to “Please to reboot your PC.”
* Swears… “Roger” doesn’t get that either.
* Calms down… Tries to patiently explain to “Roger” that he needs help to reset his password.
* “Roger” finally asks him “Which system?” Joe explains carefully and slowly. When “Roger” finally understands that the system in question is an applications system and “Ohhh… this is not Windows, no?…”, explains that he cannot help. “But, I can please help you to reboot your Windows whenever is best convenient for you, no?”
* Curses… Swears… Slams phone… Verging on hyperventilation… et cetera…
* P.C. colleague is now hiding under desk, quietly praying agnostically.

* PHB-Supervisor swings by again, observing the obvious that the Help Desk is really for Windows-only problems, and advises that Joe really should call the application system’s administrator, helpfully providing the phone number.
* Calls system administrator.
* Gets voice mail: “Hey, this is Hal, leave me a message, I might get back to you. Heh-heh.”
* Leaves voice mail, peppered with profanity.
* Gets up and goes to coffee room.  Spends an hour telling colleagues about his problems, including the password expired problem.

* Gets call-back from Hal, the Sys-admin, who patiently explains the password policy.  “All passwords must exceed eight characters, but not thirty-two characters, and must contain mixed-case letters, at least three numeric digits, exactly two special characters, at least one emoji, with bonus points for using porpoise noises or an approved Ameslan sign language dialect.”
* Listens silently, while his eyeballs spin in counter-directions.
* Asks: “Would Xyzzy&796%fooBar” be an acceptable password.  Hal says: “Yes, it would, except it lacks porpoise sounds, and you cannot use it because you’ve told me what it is. If you use it, we’d have to shoot you.  Heh-heh.”
* Joe: grimaces.
* “Ya know,” Hal goes on, “I volunteered to join the Security Policy Committee, just to try to keep things from gettin’ out-a-hand, ya know. Heh-heh.”
* “Yeah, right,” Joe mutters.
* Hal doesn’t seem to notice, continues: “One gal on the committee, she heard somewhere that — get this — she says it with a straight face: ‘The most secure computer system is one that’s unplugged and put in a Faraday cage, encased in concrete, and then dumped into the Marianas Trench.’ She’s dead serious! She does allow as that might be goin’ too far for our own company systems. But then she asks: ‘Why don’t we unplug ours and just run them on batteries?’  See whad’I mean?…”
* Joe: “You’re kidding me, right?”
* Hal: “Nope.  I’m tellin’ ya.  Y’all are lucky I’m on the Committee. ‘S’a matter of fact, I’m authorized to make you a special one-time offer, bein’ as you’re updating your password today’n all.”
* Joe: “A deal. Okay, I’ll bite.  What deal?”
* Hal: “Well, the Committee’s fixin’ to release an updated Policy next week, and that’n will make passwords expire weekly.”
* Joe, incredulous: “What?! Wait, man… Hell, we’ll never get logged in to get any work done!”
* Hal: “Yah, that’s been discussed as a possible revenue issue, but the way the Committee figures it, if we can get to the point where nobody can login, we’ll likely get a Full Compliance Security Rating in our next SOX Audit. The CTO and the Corporate Attorney say that they like it, and they say if’n we get there, they’ll release our daughters.”
* Joe:  “Wait…what?! Daughters? Who’s daughters?”
* Hal: “It was a condition for joining the Policy Committee. They’re holding our girls as hostage… er, in escrow, as an inducement to getting all our internal systems all into compliance. They’re all stayin’ in a dormitory over at the Convent, the Sisters of Perpetual Expiration. I hear they’re doin’ pretty good, the nuns have them workin’ as human computers on a project to simulate breaking something called Enigma, whatever that is. Seem to be enjoyin’ it; last time I talked to Sammi, they were all callin’ themselves ‘the P.C.s’.”
* Joe: “Um, is this okay with you?”
* Hal: “Oh, yeah, sure. Heh-heh. Every team needs a bit of motivational inspiration every now and then, ‘n it’s been a lot quieter around the house. The Board of Directors has promised us that if we get to full compliance before Christmas this year, they’ll even give us our year-end bonuses!”
* Joe: Doesn’t know quite what to say…
* Hal: “Hey, I almost forgot! Back to your deal! Since your password expired today, I’m authorized to make you this one-time limited offer: If you actually manage to get your password reset today by close of business, you’ll be automatically grandfathered into the 30-day password expiration cycle for the rest of the year, rather than gettin’ pulled into the new 7-day limit.”
* Joe: “So, if I don’t get my password changed today, I’m gonna have to do this every week?”
* Hal: “Yup, that’s right.”
* Joe: “Hell, man, this is messed up. What if I don’t?”
* Hal: “Which what? Don’t get it changed today, or don’t like changin’ it weekly?”
* Joe: “Well, either one?”
* Hal: “Well, then that’d be a violation. We’d have to shoot you. Heh-heh.”
* Joe: “C’mon, man, get serious. I mean, look… What if I just stay logged-on, never log-off, and just throw a blanket over my terminal so no-one can tell?”
* Hal: “Well, then that’d be a violation. We’d have to kill you.”
* Joe: “You’re jokin’ again, right?”
* Hal: “Nope, not this time. But fortunately, we’re installin’ Cisco’s new Enterprise Inactive Process Crusher to monitor and terminate violatin’ interactive sessions like yours. It’ll kill your session whenever you go to lunch, or to the restroom, at shift-end, and every time you stop typing stuff for more than 90 seconds. If you don’t get your password reset today, you’ll likely never logon again.” Cackles gleefully to himself.
* Joe: Sighs… Says “Thanks for the help, man…” and hangs up.

* Thus forewarned, prepared and comprehending (not really), thinks hard about his trusty old password, remembers that it’s got a “4” in it, decides to change the “4” into a “5” and hope for the best…
* Starts over…
* This time, when prompted “Please enter a new password:“, enters his old password with the “5” substituted for the “4”, hits the Enter key and prays.
* System responds: “Please enter a new password:
* “Yes!”  Overjoyed, enters his new-new-new password, but — as old habits die hard — with the “4”…
* System responds: “Passwords do not match.  Please enter a new password:
* Swears, et cetera…
* P.C. colleague is crawling on belly towards the nearest exit. Much shouting can be heard from the vicinity of the building entrance.

* … “Please enter a new password:
* Enters his new-new-new password with the “5”…
* “Please confirm the new password:
* Using only two index fingers, carefully and slowly starts typing his new-new-new password again…
* Before he’s done, system responds with “Time-out expired.
* Tears come to Joe’s eyes.
* To no-one in particular, shouts “If this doesn’t work this time, I’m gonna…”
* Starts over, one last time…
* “Please enter a new password:
* Enters his new-new-new password with the “5”…
* “Please confirm the new password:
* A bit more quickly, but still with two index fingers, types his new-new-new password again, sounding it out silently, and remembering to use the “5” instead of the “4”.
* System hesitates, then responds: … “Password has been changed successfully.
* Erupts from his chair with shouts of triumph.
* P.C. colleague bolts for the door… Emerges running into the parking lot, where the SWAT team takes careful aim…
* Joe immediately writes his new-new-new password onto a Post-It Note with a red Sharpie, and tapes it to his workstation’s screen in the upper-right corner. Uses duct-tape on all four edges so it won’t blow away.
* Finally gets to work… but is a basketcase for the rest of the day.

* Later that afternoon, receives an email from “the Corporate Security Team” stating that: “Data security is critical to FooBar Corporation. For this reason, we required that any and all passwords be changed periodically. Due to our improved security policy, your network access password will expire in 7 days. Failure to update your network password within this timeframe will result in loss of network access, plus a mandatory remedial system security retraining class which must be completed no later than 30 days from the date of the infraction.
* Joe is forcibly restrained and removed from the premises by building security. After a fifteen day stay in the Mental Rehab Center across the street from the Sisters of Perpetual Expiration Convent, he shakily returns to work.

* …30 days later…

I’ll examine the true cost of the corporate “Password Expiration Security Policy” in a future post.

[1] Wikipedia article:; see also and

[2]  Thanks to my colleague Swift for the use of the phrase “business weasels”, referring to  MBAs, mid- to upper-managers (usually non-technical), and corporate attorneys.

Posted in Computer Security, Technology | Tagged , , , , | Leave a comment

“Intro to Ruby” Saturday Seminar, December 6th 2014

I’m pleased to announce that the Software Freedom School (SFS), supported in partnership by the PARSEC Group (full disclosure: my employer), has asked me to lead another full-day Introduction to Ruby seminar, this one on Saturday, December 6th 2014.  To avoid a boring rehash of the details, go here ( to see the full description and to register.

Continue reading

Posted in Technology, Uncategorized | Tagged , , , , , , , , , , , | Leave a comment



I get asked to provide samples of my writing products, either my technical and business output or, especially now that I’m making forays into science fiction, my “other stuff.”  I post articles about a variety of things here on, and I monitor regularly, looking for questions where I can share a helpful answer, and opportunities to upvote other great answers. [Short-link to this post:]

Continue reading

Posted in Writing | Tagged , , , , , , , , | Leave a comment

Answered: a GNU/Linux command options syntax question

My answer to another question, this time about GNU/Linux command-line options syntax: “Is a negative sign ‘-‘ used within Linux commands to enable or disable options?”

Continue reading

Posted in Technology | Tagged , , , , , , , , , , , , , | Leave a comment

Answered: “How long will it be until we run out of notes for classical music?”

Earlier this evening, I enjoyed preparing an answer to the question “How long will it be until we run out of combinations of notes for a classical music composition?” Back-of-the-envelope calculations can be interesting and fun, and you don’t really know where it’s all going to lead you until you get there…

Continue reading

Posted in Music | Tagged , , , , , , | Leave a comment

Introducing “The Ben and Kaèly Chronicles” (with free sample)

Over the past year, I’ve started writing science fiction, spurred by the encouragement and friendship of a small community of Colorado-based pro authors. I’ve already got a couple of sci-fi works in-progress, one a solo effort of sort-of warm-up etudes, the other an ambitious epic space opera under collaborative harness with my great friend, award-winning author and colleague Peter J. Wacks.

The etudes have taken form as The Ben and Kaèly Chronicles — I’ve been developing this collection under the auspices and services of, which makes it possible for me to offer that first story as a free sample, a PDF-file which you are invited to download and read for free here:

Continue reading

Posted in Sci-Fi, Science Fiction | Tagged , , , , , , , , | 3 Comments

Recovering Linux – 6

This is the sixth installment of a series of posts to document “How I recovered my Linux systems…”  See the first post and second post for the preliminaries, the third post for diagnostics and disassembly, the fourth post for reassembly and hardware checkout, and the fifth post which completes the hardware and software rebuild of my PC-A system… Now, on to my wife’s system, PC-B…

I’ve taken some time in getting back to this, the penultimate post in this series of “recovering Linux,” mostly to be sure that I’d not been fooling myself into a false sense of it’s-fixed-now as I recovered the second of our two Linux systems, PC-B, which suffered a disk failure at roughly the same time as the first, PC-A, system did.  Perhaps not surprisingly, although PC-B seemed to have a hard disk failure similar to PC-A’s, the hardware diagnosis, and thus the fix, took an entirely different turn.

Whereas PC-A’s problem was indeed a hard disk failure (a “disk crash” in the popular vernacular, although nothing actually “crashed”) — readily diagnosed by the audible screeching sound that the disk emitted as it failed — PC-B’s failure mode was, upon subsequent evaluation, quite different.  And although I was prepared to take a similar course of action — hard disk replacement, repartioning and reformatting, operating system reinstallation, and data recovery from backup resources — to repair it, things turned out quite differently.

Continue reading

Posted in Technology | Tagged , , , , , , , , , , , , , , , , , | 1 Comment