[cryptography] Password non-similarity?

John Levine johnl at iecc.com
Sat Dec 31 17:09:08 EST 2011

>The standard rationale is that for any given time interval, there's a
>non-zero probability that a given password has been compromised.  At
>some point, the probability is high enough that it's a real risk.

Sure, but where does that probability come from?  (Various tactless
anatomical guesses elided here.)  If the probability is low enough the
replacement interval could be greater than the lifetime of the system.
I see they relate it to the guess rate, so I'd rather limit that then
push costs on users and force them to rotate passwords.


PS: Masking passwords as they're typed made a lot of sense on an
ASR-33.  Is this another throwback?

More information about the cryptography mailing list