Anyone know what the rationale is for changing your Live ID password every 90 days?
I've never changed mine.



--
Gary VanderMolen, Microsoft MVP (Mail)
http://mvp.support.microsoft.com/def...le/vandermolen


"...winston" <winstonmvp@newsgroup> wrote in message news:e8ETtxqRKHA.3876@newsgroup

> This one's a bit more definitive with instructions and links.
> 10/5/2009
> Update: Phishing scheme affecting some Hotmail customers
> http://windowslivewire.spaces.live.c...y?sa=698771887
>
> <qp>
> Microsoft recommends customers use the following protective security measures:
>
> Renew their passwords for Windows Live IDs every 90 days

[snip]

Gary,
I've never seen an explanation nor do I recall anyone claiming they abide by the 90 days suggestion.

Maybe 'quarterly' sounded nice when the statement was written, discussed etc.


--
...winston
ms-mvp mail

"Gary VanderMolen" <gary@newsgroup> wrote in message news:OXYCyAtRKHA.2092@newsgroup

> Anyone know what the rationale is for changing your Live ID password every 90 days?
> I've never changed mine.
>
> --
> Gary VanderMolen, Microsoft MVP (Mail)
> http://mvp.support.microsoft.com/def...le/vandermolen
>
>
> "...winston" <winstonmvp@newsgroup> wrote in message news:e8ETtxqRKHA.3876@newsgroup

>> This one's a bit more definitive with instructions and links.
>> 10/5/2009
>> Update: Phishing scheme affecting some Hotmail customers
>> http://windowslivewire.spaces.live.c...y?sa=698771887
>>
>> <qp>
>> Microsoft recommends customers use the following protective security measures:
>>
>> Renew their passwords for Windows Live IDs every 90 days

> [snip]

Hi, Winston - and Gary.

It seems to me the question is not about "90 days" or any other specific
time.

Why the oft-repeated admonition to change passwords, anyhow?

If a hacker can crack my password in 90 days, he probably can do it in 3
days - or less. If he never tries to crack my password, what does it matter
if I've used the same password for 20 years? Or if he tried and couldn't
crack it, why should I change it to one that he might be able to crack?

My passwords have never been cracked - so far as I know. So why should I
change any of them?

As you know, Winston, I'm certainly no security expert. But I wonder about
the rationale for changing a password. Maybe the reasoning is different for
me, with my one-man, one-computer, no-net-but-the-Internet situation. I'll
bet that a big organization with lots of computers and lots of users has a
whole different set of ideas about passwords.

The only way I can see that this might apply to me is if someone has already
stolen my password and is just waiting for the right time to use it. Or he
is already using it and I haven't noticed. In that case, what's magic about
90 days? I'd better change the password NOW! But if I give a phisher my
password, what does it matter if it is a strong password or not - or if I've
changed it just this morning?

RC
--
R. C. White, CPA
San Marcos, TX
rc@newsgroup
Microsoft Windows MVP
Windows Live Mail 2009 (14.0.8089.0726) in Win7 Ultimate x64

"...winston" <winstonmvp@newsgroup> wrote in message
news:#A7lCQwRKHA.1372@newsgroup

> Gary,
> I've never seen an explanation nor do I recall anyone claiming they abide
> by the 90 days suggestion.
>
> Maybe 'quarterly' sounded nice when the statement was written, discussed
> etc.
>
>
> --
> ...winston
> ms-mvp mail
>
> "Gary VanderMolen" <gary@newsgroup> wrote in message
> news:OXYCyAtRKHA.2092@newsgroup

>> Anyone know what the rationale is for changing your Live ID password
>> every 90 days?
>> I've never changed mine.
>>
>> --
>> Gary VanderMolen, Microsoft MVP (Mail)
>> http://mvp.support.microsoft.com/def...le/vandermolen
>>
>>
>> "...winston" <winstonmvp@newsgroup> wrote in message
>> news:e8ETtxqRKHA.3876@newsgroup

>>> This one's a bit more definitive with instructions and links.
>>> 10/5/2009
>>> Update: Phishing scheme affecting some Hotmail customers
>>>
>>> http://windowslivewire.spaces.live.c...y?sa=698771887
>>>
>>> <qp>
>>> Microsoft recommends customers use the following protective security
>>> measures:
>>>
>>> Renew their passwords for Windows Live IDs every 90 days

>> [snip]

Lol...R.C. You are absolutely correct..I was not trying to justify the necessity of changing the password only that I didn't know
anyone that abided by, if you'll allow a metaphor, that religion(change every 90 days).

The only routine password change type of dogma that I'm aware of occurs in two places.
1. Hotmail accounts have an option for the user to set it to expire every 72 days
2. Business environments...which may have a policy to change user logon ID's(which also may automatically or require user manual
change to corporate email accounts) periodically(e.g. every thirty days)...lol...sometimes for security issues like newsgroup
passwords<eg>

Like you, I've never had an account/password breach.
- My *.edu email address still uses the same password(it was only changed once when they modified the system a few years ago, they
sent me a new password, I logged on and changed it back to the original).
- My first msn.com account(and a hotmail capable account)still has the same password since creation in the early 90's. Other's are
pretty much similar.

The only time I've personally ever changed a Hotmail password was in testing the Password Change or Reset routine when someone else
had a problem with it(fortunately for me, it always worked without issue, unfortunate for the user since I couldn't duplicate their
problem).

On the other hand, I have seen quite a few systems over the years where address books have been compromised necessitating a
recommended password change...One person I recall who's account and address book was compromised had a username/password with a
mirror images of each other(e.g. david123@newsgroup pw = 321divad@newsgroup). The other thing I never really understood was in
business(which you touched on)...where a user id/pw was changed monthly using the last name with the month number as a
suffix(Smith01, Smith02), the password the same until changed by the user(at least Hotmail doesn't allow the same for username and
password)...that method never made sense to me.

Thus the only reason beyond what I mentioned earlier(90 days sounded nice) that might make sense for suggesting a change is that
people create pretty simple passwords easily figured out by guessing or a simple algorithm.

If your hacked, your hacked..and that's as good as any time to reset it...to something just as easily crack/hackable

Now, if we could only get people to spell 'Phishing' correctly<g>


--
...winston
ms-mvp mail

"R. C. White" <rc@newsgroup> wrote in message news:eDmD4I1RKHA.508@newsgroup

> Hi, Winston - and Gary.
>
> It seems to me the question is not about "90 days" or any other specific time.
>
> Why the oft-repeated admonition to change passwords, anyhow?
>
> If a hacker can crack my password in 90 days, he probably can do it in 3 days - or less. If he never tries to crack my password,
> what does it matter if I've used the same password for 20 years? Or if he tried and couldn't crack it, why should I change it to
> one that he might be able to crack?
>
> My passwords have never been cracked - so far as I know. So why should I change any of them?
>
> As you know, Winston, I'm certainly no security expert. But I wonder about the rationale for changing a password. Maybe the
> reasoning is different for me, with my one-man, one-computer, no-net-but-the-Internet situation. I'll bet that a big
> organization with lots of computers and lots of users has a whole different set of ideas about passwords.
>
> The only way I can see that this might apply to me is if someone has already stolen my password and is just waiting for the right
> time to use it. Or he is already using it and I haven't noticed. In that case, what's magic about 90 days? I'd better change
> the password NOW! But if I give a phisher my password, what does it matter if it is a strong password or not - or if I've
> changed it just this morning?
>
> RC
> --
> R. C. White, CPA
> San Marcos, TX
> rc@newsgroup
> Microsoft Windows MVP
> Windows Live Mail 2009 (14.0.8089.0726) in Win7 Ultimate x64
>
> "...winston" <winstonmvp@newsgroup> wrote in message news:#A7lCQwRKHA.1372@newsgroup

>> Gary,
>> I've never seen an explanation nor do I recall anyone claiming they abide by the 90 days suggestion.
>>
>> Maybe 'quarterly' sounded nice when the statement was written, discussed etc.
>>
>>
>> --
>> ...winston
>> ms-mvp mail
>>
>> "Gary VanderMolen" <gary@newsgroup> wrote in message news:OXYCyAtRKHA.2092@newsgroup

>>> Anyone know what the rationale is for changing your Live ID password every 90 days?
>>> I've never changed mine.
>>>
>>> --
>>> Gary VanderMolen, Microsoft MVP (Mail)
>>> http://mvp.support.microsoft.com/def...le/vandermolen
>>>
>>>
>>> "...winston" <winstonmvp@newsgroup> wrote in message news:e8ETtxqRKHA.3876@newsgroup
>>>> This one's a bit more definitive with instructions and links.
>>>> 10/5/2009
>>>> Update: Phishing scheme affecting some Hotmail customers
>>>>
>>>> http://windowslivewire.spaces.live.c...y?sa=698771887
>>>>
>>>> <qp>
>>>> Microsoft recommends customers use the following protective security measures:
>>>>
>>>> Renew their passwords for Windows Live IDs every 90 days
>>> [snip]

>

Hi, Winston.

Thanks for the confirmation and additional thoughts.

I was not aiming my comments at you specifically, but adding to Gary's post
to generate some discussion of the reasoning behind the oft-repeated advice
to change passwords often.

As I said, I'm sure the philosophy is different for an organization of more
than one user. And it's different for a password that is used by multiple
users. If I get fired today, I'm sure my ex-boss will want to make sure
that none of his passwords that I know will still work on his machines or
accounts!

But nobody signs on to my Live ID or my bank account but me, so I see no
reason to change my password unless I know or suspect that it has been
compromised.

RC
--
R. C. White, CPA
San Marcos, TX
rc@newsgroup
Microsoft Windows MVP
Windows Live Mail 2009 (14.0.8089.0726) in Win7 Ultimate x64

"...winston" <winstonmvp@newsgroup> wrote in message
news:OMPYTA4RKHA.4048@newsgroup

> Lol...R.C. You are absolutely correct..I was not trying to justify the
> necessity of changing the password only that I didn't know anyone that
> abided by, if you'll allow a metaphor, that religion(change every 90
> days).
>
> The only routine password change type of dogma that I'm aware of occurs in
> two places.
> 1. Hotmail accounts have an option for the user to set it to expire every
> 72 days
> 2. Business environments...which may have a policy to change user logon
> ID's(which also may automatically or require user manual change to
> corporate email accounts) periodically(e.g. every thirty
> days)...lol...sometimes for security issues like newsgroup passwords<eg>
>
> Like you, I've never had an account/password breach.
> - My *.edu email address still uses the same password(it was only changed
> once when they modified the system a few years ago, they sent me a new
> password, I logged on and changed it back to the original).
> - My first msn.com account(and a hotmail capable account)still has the
> same password since creation in the early 90's. Other's are pretty much
> similar.
>
> The only time I've personally ever changed a Hotmail password was in
> testing the Password Change or Reset routine when someone else had a
> problem with it(fortunately for me, it always worked without issue,
> unfortunate for the user since I couldn't duplicate their problem).
>
> On the other hand, I have seen quite a few systems over the years where
> address books have been compromised necessitating a recommended password
> change...One person I recall who's account and address book was
> compromised had a username/password with a mirror images of each
> other(e.g. david123@newsgroup pw = 321divad@newsgroup). The other thing
> I never really understood was in business(which you touched on)...where a
> user id/pw was changed monthly using the last name with the month number
> as a suffix(Smith01, Smith02), the password the same until changed by the
> user(at least Hotmail doesn't allow the same for username and
> password)...that method never made sense to me.
>
> Thus the only reason beyond what I mentioned earlier(90 days sounded nice)
> that might make sense for suggesting a change is that people create pretty
> simple passwords easily figured out by guessing or a simple algorithm.
>
> If your hacked, your hacked..and that's as good as any time to reset
> it...to something just as easily crack/hackable
>
> Now, if we could only get people to spell 'Phishing' correctly<g>
>
> --
> ...winston
> ms-mvp mail
>
> "R. C. White" <rc@newsgroup> wrote in message
> news:eDmD4I1RKHA.508@newsgroup

>> Hi, Winston - and Gary.
>>
>> It seems to me the question is not about "90 days" or any other specific
>> time.
>>
>> Why the oft-repeated admonition to change passwords, anyhow?
>>
>> If a hacker can crack my password in 90 days, he probably can do it in 3
>> days - or less. If he never tries to crack my password, what does it
>> matter if I've used the same password for 20 years? Or if he tried and
>> couldn't crack it, why should I change it to one that he might be able to
>> crack?
>>
>> My passwords have never been cracked - so far as I know. So why should I
>> change any of them?
>>
>> As you know, Winston, I'm certainly no security expert. But I wonder
>> about the rationale for changing a password. Maybe the reasoning is
>> different for me, with my one-man, one-computer, no-net-but-the-Internet
>> situation. I'll bet that a big organization with lots of computers and
>> lots of users has a whole different set of ideas about passwords.
>>
>> The only way I can see that this might apply to me is if someone has
>> already stolen my password and is just waiting for the right time to use
>> it. Or he is already using it and I haven't noticed. In that case,
>> what's magic about 90 days? I'd better change the password NOW! But if
>> I give a phisher my password, what does it matter if it is a strong
>> password or not - or if I've changed it just this morning?
>>
>> RC
>> --
>> R. C. White, CPA
>> San Marcos, TX
>> rc@newsgroup
>> Microsoft Windows MVP
>> Windows Live Mail 2009 (14.0.8089.0726) in Win7 Ultimate x64
>>
>> "...winston" <winstonmvp@newsgroup> wrote in message
>> news:#A7lCQwRKHA.1372@newsgroup

>>> Gary,
>>> I've never seen an explanation nor do I recall anyone claiming they
>>> abide by the 90 days suggestion.
>>>
>>> Maybe 'quarterly' sounded nice when the statement was written, discussed
>>> etc.
>>>
>>> --
>>> ...winston
>>> ms-mvp mail
>>>
>>> "Gary VanderMolen" <gary@newsgroup> wrote in message
>>> news:OXYCyAtRKHA.2092@newsgroup
>>>> Anyone know what the rationale is for changing your Live ID password
>>>> every 90 days?
>>>> I've never changed mine.
>>>>
>>>> --
>>>> Gary VanderMolen, Microsoft MVP (Mail)
>>>> http://mvp.support.microsoft.com/def...le/vandermolen
>>>>
>>>>
>>>> "...winston" <winstonmvp@newsgroup> wrote in message
>>>> news:e8ETtxqRKHA.3876@newsgroup
>>>>> This one's a bit more definitive with instructions and links.
>>>>> 10/5/2009
>>>>> Update: Phishing scheme affecting some Hotmail customers
>>>>>
>>>>> http://windowslivewire.spaces.live.c...y?sa=698771887
>>>>>
>>>>> <qp>
>>>>> Microsoft recommends customers use the following protective security
>>>>> measures:
>>>>>
>>>>> Renew their passwords for Windows Live IDs every 90 days
>>>> [snip]

Agreed...

I also hate forced password changes, changes requiring resetting 3 secret questions...that may impact pulling that data from one
site(bank, credit card) etc into another site that summarizes the pulled data(net worth, debt, etc)...the summarizing site may not
have been updated to pull the new or changed questions, security image...a pita..


--
...winston
ms-mvp mail

"R. C. White" <rc@newsgroup> wrote in message news:O0cfTBCSKHA.4592@newsgroup

> Hi, Winston.

>
> But nobody signs on to my Live ID or my bank account but me, so I see no reason to change my password unless I know or suspect
> that it has been compromised.
>
> RC
> --
> R. C. White, CPA
> San Marcos, TX
> rc@newsgroup
> Microsoft Windows MVP
> Windows Live Mail 2009 (14.0.8089.0726) in Win7 Ultimate x64
>
> "...winston" <winstonmvp@newsgroup> wrote in message news:OMPYTA4RKHA.4048@newsgroup

>> Lol...R.C. You are absolutely correct..I was not trying to justify the necessity of changing the password only that I didn't
>> know anyone that abided by, if you'll allow a metaphor, that religion(change every 90 days).
>>
>> The only routine password change type of dogma that I'm aware of occurs in two places.
>> 1. Hotmail accounts have an option for the user to set it to expire every 72 days
>> 2. Business environments...which may have a policy to change user logon ID's(which also may automatically or require user manual
>> change to corporate email accounts) periodically(e.g. every thirty days)...lol...sometimes for security issues like newsgroup
>> passwords<eg>
>>
>> Like you, I've never had an account/password breach.
>> - My *.edu email address still uses the same password(it was only changed once when they modified the system a few years ago,
>> they sent me a new password, I logged on and changed it back to the original).
>> - My first msn.com account(and a hotmail capable account)still has the same password since creation in the early 90's. Other's
>> are pretty much similar.
>>
>> The only time I've personally ever changed a Hotmail password was in testing the Password Change or Reset routine when someone
>> else had a problem with it(fortunately for me, it always worked without issue, unfortunate for the user since I couldn't
>> duplicate their problem).
>>
>> On the other hand, I have seen quite a few systems over the years where address books have been compromised necessitating a
>> recommended password change...One person I recall who's account and address book was compromised had a username/password with a
>> mirror images of each other(e.g. david123@newsgroup pw = 321divad@newsgroup). The other thing I never really understood was
>> in business(which you touched on)...where a user id/pw was changed monthly using the last name with the month number as a
>> suffix(Smith01, Smith02), the password the same until changed by the user(at least Hotmail doesn't allow the same for username
>> and password)...that method never made sense to me.
>>
>> Thus the only reason beyond what I mentioned earlier(90 days sounded nice) that might make sense for suggesting a change is that
>> people create pretty simple passwords easily figured out by guessing or a simple algorithm.
>>
>> If your hacked, your hacked..and that's as good as any time to reset it...to something just as easily crack/hackable
>>
>> Now, if we could only get people to spell 'Phishing' correctly<g>
>>
>> --
>> ...winston
>> ms-mvp mail
>>
>> "R. C. White" <rc@newsgroup> wrote in message news:eDmD4I1RKHA.508@newsgroup

>>> Hi, Winston - and Gary.
>>>
>>> It seems to me the question is not about "90 days" or any other specific time.
>>>
>>> Why the oft-repeated admonition to change passwords, anyhow?
>>>
>>> If a hacker can crack my password in 90 days, he probably can do it in 3 days - or less. If he never tries to crack my
>>> password, what does it matter if I've used the same password for 20 years? Or if he tried and couldn't crack it, why should I
>>> change it to one that he might be able to crack?
>>>
>>> My passwords have never been cracked - so far as I know. So why should I change any of them?
>>>
>>> As you know, Winston, I'm certainly no security expert. But I wonder about the rationale for changing a password. Maybe the
>>> reasoning is different for me, with my one-man, one-computer, no-net-but-the-Internet situation. I'll bet that a big
>>> organization with lots of computers and lots of users has a whole different set of ideas about passwords.
>>>
>>> The only way I can see that this might apply to me is if someone has already stolen my password and is just waiting for the
>>> right time to use it. Or he is already using it and I haven't noticed. In that case, what's magic about 90 days? I'd better
>>> change the password NOW! But if I give a phisher my password, what does it matter if it is a strong password or not - or if
>>> I've changed it just this morning?
>>>
>>> RC
>>> --
>>> R. C. White, CPA
>>> San Marcos, TX
>>> rc@newsgroup
>>> Microsoft Windows MVP
>>> Windows Live Mail 2009 (14.0.8089.0726) in Win7 Ultimate x64
>>>
>>> "...winston" <winstonmvp@newsgroup> wrote in message news:#A7lCQwRKHA.1372@newsgroup
>>>> Gary,
>>>> I've never seen an explanation nor do I recall anyone claiming they abide by the 90 days suggestion.
>>>>
>>>> Maybe 'quarterly' sounded nice when the statement was written, discussed etc.
>>>>
>>>> --
>>>> ...winston
>>>> ms-mvp mail
>>>>
>>>> "Gary VanderMolen" <gary@newsgroup> wrote in message news:OXYCyAtRKHA.2092@newsgroup
>>>>> Anyone know what the rationale is for changing your Live ID password every 90 days?
>>>>> I've never changed mine.
>>>>>
>>>>> --
>>>>> Gary VanderMolen, Microsoft MVP (Mail)
>>>>> http://mvp.support.microsoft.com/def...le/vandermolen
>>>>>
>>>>>
>>>>> "...winston" <winstonmvp@newsgroup> wrote in message news:e8ETtxqRKHA.3876@newsgroup
>>>>>> This one's a bit more definitive with instructions and links.
>>>>>> 10/5/2009
>>>>>> Update: Phishing scheme affecting some Hotmail customers
>>>>>>
>>>>>> http://windowslivewire.spaces.live.c...y?sa=698771887
>>>>>>
>>>>>> <qp>
>>>>>> Microsoft recommends customers use the following protective security measures:
>>>>>>
>>>>>> Renew their passwords for Windows Live IDs every 90 days
>>>>> [snip]

>