No doubt, this neighbor should have changed his password long ago, but there is a lot to admire about his security hygiene nonetheless.
I think it's taken too much for granted that one should change passwords on a regular basis. If we assume that changing passwords more frequently means that we are more likely to use more rememberable - and, thus, more guessable - passwords, then perhaps this is not a fluke. Perhaps "pick a truly random, long sequence and keep it for a long time" is not actually bad policy.
In short, I find it odd that the author unquestionably says his neighbor should have had different password behavior, yet it was the only password he couldn't crack. That's an opportunity to revisit assumptions.
One should change passwords on an irregular basis (a regular basis is weaker protection than an irregular basis). This is just an additional layer of security, not a perfection. If the password has ever been compromised, a password change policy removes the key from bad hands. Discovered passwords are not always immediately used; in many situations, they are stored for later use, perhaps even sold/traded.
We shouldn't make such proclamations based on reasoning along. Security policy that involves human behavior depends extensively on what humans do. So while a particular security policy may be the safest, most rational thing to do, it may fail in practice if people execute it poorly.
So, if it is true that when people regularly change their passwords, they pick poorer passwords, then perhaps those poor passwords are a larger risk than the risk of maintaining a compromised password. Again, this is not a question of what is the most rational policy. It is a question of human behavior, which means in order to find an answer, we need to study what people actually do.
I googled to see if I could find studies on this, and I did: "The True Cost of Unusable Password Policies: Password Use in the Wild" by Philip Inglesant & M. Angela Sasse: http://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf I have yet to read it in full, but they do touch on this idea at least some.
Cryptography in it's own principals are based on probability. If ignoring physical access attacks, social engineering attacks, etc are acceptable to you then yes, you can keep a "good" password for a long time. You also have to accept that out of all possible attacks accounting for nothing but brute force and basic dictionary attacks is 'enough' then you should also acknowledge the risks.
I think you're missing my key point: you have to compare two different risks, based on observation. The first risk is the risk of continuing to use a compromised password. The second risk is the risk of users introducing weaker passwords because they continually change them. We can use our reasoning to come up with a decent probability for the first risk. We cannot do so for the second risk, since it depends on how people behave. We must study people to assign a number to the second risk.
I think I see your point but you have to admit you haven't really established a foundation for your argument. You seem to feel (and I may be wrong of course) that one person selecting a fairly secure pass phrase once would be much more secure at any single point in time rather than a hap-hazard, dictionary based pass phrase that in comparison would be likely trivial to compromise at that same point of time. If that is indeed your point you do convey a valid point.
I just ask that if you advertise this method as somehow ideal then please allow for your audience to appreciate it as it is, an "if all else fails it's better than nothing" approach.
You've almost got it, but you've missed the main subtlety: I'm asking a question, not making a statement. I'm not advocating what we should do. I'm stating that what we should do is actually unknown because we don't have all of the information. Specifically, we don't know human behavior when it comes to rotating passwords. If it turns out that people actually choose good passwords under a rotating password policy, then we should keep the rotating password policy.
My only prescription is to say, instead of telling everyone "this is how you should behave" in order to achieve the best security, we should design our security policies based on how people actually behave. My assertion here is that if we do this, we will end up with better actual security than if we came up with a policy that, on paper, is better, but is not well implemented by people in the wild.
I put a keylock on my window and tripwired a claymore to my door. Problem solved.
Edit: In all seriousness, wouldn't it be logical to keep records of all IP addresses that attempt/login to the system. If you frequently see attempts made from one IP address, or IP group (ISP block) then simply prevent them accessing the login.
Further, for Wifi, wouldn't it be logical to record the MAC codes of computers trying to access the network and if one you don't recognize is frequently trying to access the system, simply block it.
It's not foolproof. Actually it probably is. It's not true security against a determined person (proxies and MAC spoofing), but then a good password protects you against fools and often not skilled individuals. A key logger on an insecure computer clearly trumps any password.
In all seriousness, wouldn't it be logical to keep records of all IP addresses that attempt/login to the system.
If you mean specific to WiFi, then no, it wouldn't be logical - often the WiFi access point acts as a DHCP server and assigns an IP. If you mean more broadly, then yes it would - see [1].
Further, for Wifi, wouldn't it be logical to record the MAC codes of computers trying to access the network and if one you don't recognize is frequently trying to access the system, simply block it
No, MAC addresses are trivially spoofable (as you note), and in some cases I believe this spoofing is automated. MAC blocking isn't a real security feature at all.
If we are talking about system passwords (router or otherwise), there's a good chance you'll just be left with something malicious (ex. key logger) that is going to render null your irregular change of passwords. Regardless, irregular updates is just another form of security by obscurity. What if your password is cracked at the beginning of an irregular cycle?
The only reason one should have to change their password is if it is significantly weak -- "crackable" -- or they enter it manually -- it is visible -- in front of others a significant number of times for them to "record" the strokes. Good password managers, more or less, solve both cases.
If using a significantly good password, from the beginning, it is pretty unlikely that anyone would go through the trouble or have the opportunity to watch you enter your password. To me, it only makes sense to change a WiFi password for the following reasons:
a) you care if people are using your network, or you do not simply keep track or whitelist-only of machines that have negotiated with your router
b) you use a short -- "crackable" -- password
c) someone can peer into rooms were they might spy on you entering your WiFi password
d) (c) happens enough that they can make out the whole password
For typical passwords -- desktops, laptops, email, etc -- it makes sense to change passwords (and use a password manager), but only for those things that really matter. Otherwise, there is probably not a lot of undo-able harm that can come of someone having access to your account(s) on <forum du jour>.
I think it's taken too much for granted that one should change passwords on a regular basis. If we assume that changing passwords more frequently means that we are more likely to use more rememberable - and, thus, more guessable - passwords, then perhaps this is not a fluke. Perhaps "pick a truly random, long sequence and keep it for a long time" is not actually bad policy.
In short, I find it odd that the author unquestionably says his neighbor should have had different password behavior, yet it was the only password he couldn't crack. That's an opportunity to revisit assumptions.