This summer I had the chance to visit the Tomb of the Unknown Soldier in Arlington National Cemetery with my son. It was my second time there, his first, and we had the chance to watch the changing of the guard twice. In the summer they change every 30 minutes, a little less frequently at night and in the winter, but it's an amazing thing to watch (you can see it here). I've also had the chance to see the changing of the guard at Buckingham Palace.
These are symbolic events, and while I'd urge you to go see them if you can, they aren't really in place to provide security. In our lives and work, we have real security measures that are designed to protect things that we are really concerned about. In the technology business, one thing we do is change passwords.
For this Friday's poll, I wanted to ask a bit about your own changing of the guard. I am curious to know how you handle the internal procedures at your company.
How often do you change your administrator passwords?
These can be the domain/Windows administrator password, the SA password in SQL Server, or your personal account if it has administrator privileges. Perhaps you have separate schedules for all of them. If so, let us know, and If you have reasons, post them.
In the past, I've had password changes enforced at various intervals for different employers: 30 days, 60 days, 90 days, 120 days, 180 days, and infinity (never changing passwords). Those are typical intervals that I've seen, though these days I think everyone has something lower than infinity. Or I hope they do.
I hated 30 days since it required me to think of new passwords too often. I, and many other people I worked with, ended up using the same password with a 1, 2, 3, etc. added at the end. We rotated a new number every month, and since our system remembered 10 passwords, we could end up using the same password every 11 months.
To me 60 days was a much better time frame. Short enough to provide good security (I think), but long enough that it wasn't a huge hassle to remember. It also wasn't an interval that resulted in a large number of sticky notes on a monitor. These days I change my employer passwords every 90 days, and also change the password on my Password Safe every few months. I also rotate some shared credentials, like my Live ID, at least once a year. However I often leave other passwords alone for long periods of time. Not sure that's a good move.
So this Friday, let us know how often you change your passwords, and what makes a good interval in your mind.
Steve Jones
The Voice of the DBA Podcasts
The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there.
You can also follow Steve Jones on Twitter:
or now on iTunes!
- Windows Media Podcast - 29.1MB WMV
- iPod Video Podcast - 22.9MB MP4
- MP3 Audio Podcast - 4.7MB
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.