[cryptography] Password non-similarity?

John Levine johnl at iecc.com
Sat Dec 31 10:17:59 EST 2011


>>Has anyone ever implemented a system to enforce non-similarity business rules?

Sure.  Every month, the first time a user logs in generate a new
random password, show it to him, and tell him to write it down.

You can't force people to invent and memorize an endless stream of
unrelated strong passwords.  We just can't do it.  Yes, password reuse
can be a problem, but I cannot tell you of how tired I am of
self-important web sites that demand super strong passwords to protect
stuff of only minor value.  My least favorite one contains nothing but
some conference papers they want me to review.  My second least
favorite only lets me look at statements for my credit card merchant
account, with the card numbers redacted.

The more often you make people change passwords, the less effort they
are willing to put into each password, so you can be absolutely sure
that if you demand a new password every month, they will use dog+digit
or whatever is the easiest way to get a password that will let them
log in and get their fripping job done.

R's,
John




More information about the cryptography mailing list