[cryptography] Password non-similarity?

John Levine johnl at iecc.com
Sat Dec 31 12:32:06 EST 2011


>> You can't force people to invent and memorize an endless stream of
>> unrelated strong passwords.
>
>I'm not sure I agree with this phrasing.  It is easy to memorize a strong 
>password -- it just has to be long enough. 

Don't forget "endless stream of unrelated".  I have some strong
passwords for the accounts that matter, but I don't have to start over
every month.


>So what problem _is_ being addressed by requiring passwords to be changed 
>so often [and so inconveniently]?

Compliance with standards written by people who created the standard
by copying standards they saw other places.  I suspect a lot of them
still trace back to attacks on /etc/passwd on PDP-11 Unix.

Regards,
John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly



More information about the cryptography mailing list