[cryptography] Password non-similarity?
noloader at gmail.com
Sat Dec 31 16:57:41 EST 2011
On Sat, Dec 31, 2011 at 4:44 PM, John Levine <johnl at iecc.com> wrote:
>>This is the very question I was asking: *WHY* "changed regularly? What
>>threat/vulnerability is addressed by regularly changing your password?
> I finally realized, that's so when the organization gets pwn3d, you
> won't have used the stolen passwords anywhere else. Or maybe they
> imagine that if your password is stolen somewhere else, you won't have
> changed all the passwords at the same time.
Sadly, I'm a poster child for reuse and stolen passwords. When GNU's
Savannah was broken into , Google had to suspend an alternate GMail
account due to spamming. I used the same password under GNU and GMail
(and the GMail account name was easily guessable - jeffrey.w.walton).
The password was non-trivial - 8 characters, upper/lower, three
numbers, and one symbol.
+1 to GNU, Mailman, and their data security practices (plain text and
unsalted MD5 secrets).
+1 to me for reuse.
I no longer use passwords for Mailman (let them pick their own throw
away password), I no longer reuse passwords, and I try not to use
guessable account names (unavoidable when corporate email addresses
More information about the cryptography