[cryptography] Password non-similarity?

Jeffrey Walton noloader at gmail.com
Sat Dec 31 16:57:41 EST 2011


On Sat, Dec 31, 2011 at 4:44 PM, John Levine <johnl at iecc.com> wrote:
>>This is the very question I was asking: *WHY* "changed regularly?  What
>>threat/vulnerability is addressed by regularly changing your password?
>
> I finally realized, that's so when the organization gets pwn3d, you
> won't have used the stolen passwords anywhere else.  Or maybe they
> imagine that if your password is stolen somewhere else, you won't have
> changed all the passwords at the same time.
Sadly, I'm a poster child for reuse and stolen passwords. When GNU's
Savannah was broken into [1], Google had to suspend an alternate GMail
account due to spamming. I used the same password under GNU and GMail
(and the GMail account name was easily guessable - jeffrey.w.walton).
The password was non-trivial - 8 characters, upper/lower, three
numbers, and one symbol.

+1 to GNU, Mailman, and their data security practices (plain text and
unsalted MD5 secrets).
+1 to me for reuse.

I no longer use passwords for Mailman (let them pick their own throw
away password), I no longer reuse passwords, and I try not to use
guessable account names (unavoidable when corporate email addresses
are assigned).

Jeff

[1] http://www.theregister.co.uk/2010/12/01/gnu_savannah_hacked/



More information about the cryptography mailing list