I get asked that question a lot, usually by people annoyed at their employer's or bank's password expiration policy: people who finally memorized their current password and are realizing they'll have to write down their new password.How could that possibly be more secure, they want to know.

Password for camfree websites-89

It's much less important for a credit card or passport to have an expiration date, now that they're not so much bearer documents as just pointers to a database.

If, for example, the credit card database knows when a card is no longer valid, there’s no reason to put an expiration date on the card.

But the expiration date does mean that a forgery is only good for a limited length of time. If a hacker gets your password either by guessing or stealing it, he can access your network as long as your password is valid.

If you have to update your password every quarter, that significantly limits the utility of that password to the attacker. It assumes a passive attacker, one who will eavesdrop over time without alerting you that he's there.

And if you force people to change their passwords regularly, they're more likely to choose easy-to-remember -- and easy-to-guess -- passwords than they are if they can use the same passwords for many years.

So any password-changing policy needs to be chosen with that consideration in mind.

The primary reason to give an authentication credential -- not just a password, but any authentication credential -- an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else.

If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. This becomes less important when the credential contains a biometric -- even a photograph -- or is verified online.

In many cases today, though, that assumption no longer holds.

An attacker who gets the password to your bank account by guessing or stealing it isn't going to eavesdrop.

He's going to transfer money out of your account -- and then you're going to notice.