[cryptography] Password non-similarity?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Dec 31 17:02:03 EST 2011


Bernie Cosell <bernie at fantasyfarm.com> writes:
>On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
>> Yes, ideally people would have a separate, strong password, changed
>> regularly for every site.
>
>This is the very question I was asking: *WHY* "changed regularly?  What 
>threat/vulnerability is addressed by regularly changing your password?  I 
>know that that's the standard party line [has been for decades and is 
>even written into Virginia's laws!], but AFAICT it doesn't do much of 
>anything other than encourage users to be *LESS* secure with their 
>passwords.

This requires an answer that's waaay too long to post here, I've made an 
attempt (with lots of references to historical docs) in the chapter 
"Passwords" in http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf (it's 
easier to post the link than to post large extracts here, since the discussion 
is fairly in-depth).

If there's anything I've missed or overlooked in that, let me know.

Peter.



More information about the cryptography mailing list