[cryptography] Password non-similarity?

Bernie Cosell bernie at fantasyfarm.com
Sat Dec 31 21:02:55 EST 2011

On 31 Dec 2011 at 16:59, Steven Bellovin wrote:

> On Dec 31, 2011, at 4:36 00PM, Bernie Cosell wrote:
> > On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
> > 
> >> Yes, ideally people would have a separate, strong password, changed
> >> regularly for every site.
> > 
> > This is the very question I was asking: *WHY* "changed regularly?  What 
> > threat/vulnerability is addressed by regularly changing your password?  I 
> > know that that's the standard party line [has been for decades and is 
> > even written into Virginia's laws!], but AFAICT it doesn't do much of 
> > anything other than encourage users to be *LESS* secure with their 
> > passwords.
> The standard rationale is that for any given time interval, there's a
> non-zero probability that a given password has been compromised.

Just so!  But of course But the what I'm asking is whether that's all 
basically just apocryphal [and perhaps it's past time to push back on 
that "knee jerk" policy].


Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie at fantasyfarm.com     Pearisburg, VA
    -->  Too many people, too few sheep  <--       

More information about the cryptography mailing list