[cryptography] Password non-similarity?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Dec 31 17:02:03 EST 2011

Bernie Cosell <bernie at fantasyfarm.com> writes:
>On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
>> Yes, ideally people would have a separate, strong password, changed
>> regularly for every site.
>This is the very question I was asking: *WHY* "changed regularly?  What 
>threat/vulnerability is addressed by regularly changing your password?  I 
>know that that's the standard party line [has been for decades and is 
>even written into Virginia's laws!], but AFAICT it doesn't do much of 
>anything other than encourage users to be *LESS* secure with their 

This requires an answer that's waaay too long to post here, I've made an 
attempt (with lots of references to historical docs) in the chapter 
"Passwords" in http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf (it's 
easier to post the link than to post large extracts here, since the discussion 
is fairly in-depth).

If there's anything I've missed or overlooked in that, let me know.


More information about the cryptography mailing list