I agree with the article but feel that some of the commentary could be a little more nuanced. The thrust of the article is that forcing regular password changes irritates users and they turn to patterns like adding a number on the end and just incrementing it. I've seen my share of users who will happily announce to the world that their password is 'August2016' without being asked.
If MySpace forced passwords to expire every 30 days and you found 'March2008' in the recent MySpace breach, it wouldn't take a genius to work out what was next.
On the other hand, occasional password changes do have their place. Should MySpace wait until there is public evidence of a breach to force a reset? What about other organisations like Facebook and Netflix who reset passwords of users because they had reused passwords their MySpace password? There are a lot of ifs here;
- If MySpace had used a secure hash like PBKDF2 or bcrypt then all but the weakest of passwords would be secure and;
- If users picked passwords with a significant amount of entropy they wouldn't be cracked even if MySpace just used md5 and;
- If users didn't reuse passwords across sites it wouldn't be an issue for other site anyway and;
- If ...
Our natural response as security professionals is to try to force people to use good password hygiene so we resort to things like password expiry dates and complexity requirements that actually restrict the number of available passwords.
We should look at ways to encourage good password hygiene, sign up forms can offer the option to generate a password1 and a button to copy it into the clipboard so users can use a password manager. Maybe organisations should include tools like KeePass as part of the standard operating environment and make them available on all desktops.
My preferred method of generating passwords is