Frequent password changes are the enemy of security(arstechnica.com) |
Frequent password changes are the enemy of security(arstechnica.com) |
Password changing gives an advantage even if it's just a minor change. Keep that in mind.
Presumably that is required to stop simple password rotation of Password1, Password2, Passsword1
> why brother with the ones that doesn't work?
That's going to depend what the attack is against. If it's a consumer facing web site then you're probably right and the attacker will move right along unless it's a high profile account (Zuckerberg et al). If it's an internal system then attack is probably more interested in named accounts/roles and spending a few seconds to workout whether the password is an easily decipherable sequence will quickly pay off.
Furthermore if you have a internal system, the administrator should enforce certainly password conditions. They could even forbid the use of old passwords...
If the current password is in the table, how long it has been in use doesn't matter.
Rotating passwords mostly addresses an internal workplace issue of sharing passwords between coworkers. That's a symptom of security culture problems and probably more deeply operational organization problems => why don't people have access to the tools they need when they need them?