[cryptography] Password non-similarity?

Bernie Cosell bernie at fantasyfarm.com
Sat Dec 31 21:02:55 EST 2011

On 31 Dec 2011 at 21:44, John Levine wrote:

> >This is the very question I was asking: *WHY* "changed regularly?  What 
> >threat/vulnerability is addressed by regularly changing your password?
> I finally realized, that's so when the organization gets pwn3d, you
> won't have used the stolen passwords anywhere else.  Or maybe they
> imagine that if your password is stolen somewhere else, you won't have
> changed all the passwords at the same time.

Really?  So you're proposing *cross*site* non-reuse?  How does that work? 
If you make me change passwords, and many sites do that, what incentive 
is there to do anything other than use the same password [or a trivial 
mod] for each?

> There's also the backup tape that fell off a truck issue, but it's a
> pretty lame organization who decides to push that risk onto the
> million users rather than the three IT guys who should be managing the
> database and backup passwords and related security.

but I don't understand again: if that happens, then presumably the IT 
folk *know* and _then_ you can make everyone change their passwords [at 
least for a reason].

Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie at fantasyfarm.com     Pearisburg, VA
    -->  Too many people, too few sheep  <--       

More information about the cryptography mailing list