[cryptography] Password non-similarity?

John Levine johnl at iecc.com
Sat Dec 31 16:44:27 EST 2011


>This is the very question I was asking: *WHY* "changed regularly?  What 
>threat/vulnerability is addressed by regularly changing your password?

I finally realized, that's so when the organization gets pwn3d, you
won't have used the stolen passwords anywhere else.  Or maybe they
imagine that if your password is stolen somewhere else, you won't have
changed all the passwords at the same time.

There's also the backup tape that fell off a truck issue, but it's a
pretty lame organization who decides to push that risk onto the
million users rather than the three IT guys who should be managing the
database and backup passwords and related security.  (We assume, for
the purposes of argument, that there are still backup tapes in use
somewhere.)

The incentives of the people setting the rules are often not aligned
with the interests of the users.

R's,
John



More information about the cryptography mailing list