#eggshavingexercise

They say that there are 2 things that are inevitable - Death & Taxes. I would like to add one more to it - Password Change.

Given the amount of digital services you use, Password Change is going to happen for one service or another that you use, pretty soon & often. Even if you have a fairly complex password and do not want to change it often, in some cases, you will be forced to change it by whoever runs the service - it could be banks & financial institutions or even your office IT security people. 

On the last part, it used to be that I would be forced to change my Windows Domain password every 45 days or so. Now, they have started forcing me to change my mobile’s lock screen password as well, once in those many days, thanks to Airwatch app, that I need to be able to access emails.

And I am one of those people who cannot stand notifications and change the password the first time the notice appears - It starts appearing 10 days before it expires. Therefore, the life of each password is 35 days for me, instead of 45 days for people who can put up with notifications.

After changing my Windows (after 35 days) & Lockscreen (after 6 months since this is a new policy now) passwords in quick succession, there are several things that I have noted:

It just took 2 days for me to stop typing the old password (”muscle memory”) in case of Windows. But even after 5 days, I have been typing the old password in the phone lockscreen still. Wonder how long it would take to completely change.

We should also note that there are 2 things involved here - The number of days the password has remained and the number of times it has been used. While I may type the password some 20 times in a day in case of a PC, it is more like 100 times in a phone. That makes it 35*10 = 350 times in the PC, versus 180 * 100 = 18000 in a phone. 

These typically are the steps involved in the process:

Inevitable has happened - Password has been changed

For the first few times, you will type the old password, hit Enter and realize only after the error screen pops up. Even within that, the first few times will be one of thinking you made a typo and then the next few times, you would realize you typed the old password

Next few times, you will type the old password and realize just as you hit Enter but damage has been done

Next few times, you will type the old password and realize even as you are typing that you are typing it wrong. Then the dilemma is - are you going to type it fully, press Enter and wait for the error message. Or are you going to press backspace multiple times to type the new one? Which is going to take more time or less time? By the time this thought occurs, your muscle has typed the old one already and won ( (I am somewhere here in my mobile)

Next few times, you get conscious before typing it and directly enter the new one. (I am somewhere here in my PC)

Next few times, you start typing the new one directly without much effort but then feel happy that you did it

Next few times, it does not matter, you do not even remember that you did something spectacular here by directly typing new password

Next few times, your new password becomes part of your muscle memory

And then, you get a pop-up that you need to change your password.

Based on these thoughts, I have framed this law, which shall be called ‘Carnivas Law of Password Change’ henceforth

Sooner you change your password, sooner your fingers forget them. 

This is truer for passwords used more often.