No Password Expiration and Two Factor Authentication

One of the better security videos we have released is on two factor authentication. Pithy, short, and in language a normal human being can understand are characteristics of this video.

While I have always railed against silly security rules that waste everyone’s time, password expiration has particularly irked me. It is mathematically indefensible and just complicates everyone’s life if you have a long password. As we roll out ¬†two-factor authentication, we will make user passwords never expire.

To highlight the emotional impact this has, two things happened when I announced this at executive cabinet:

  1. The President immediately blurted out “…and this is why you invest in information security!” and,
  2. Several of my colleagues teared up as changing passwords is one of the things they most dreaded about work.

Combining the two initiatives will accelerate adoption of 2-factor authentication.