[cryptography] Password non-similarity?

Bernie Cosell bernie at fantasyfarm.com
Sat Dec 31 21:02:55 EST 2011

On 1 Jan 2012 at 11:02, Peter Gutmann wrote:

> Bernie Cosell <bernie at fantasyfarm.com> writes:
> >On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
> >> Yes, ideally people would have a separate, strong password, changed
> >> regularly for every site.
> >
> >This is the very question I was asking: *WHY* "changed regularly?  What 
> >threat/vulnerability is addressed by regularly changing your password?  I 
> >know that that's the standard party line [has been for decades and is 
> >even written into Virginia's laws!], but AFAICT it doesn't do much of 
> >anything other than encourage users to be *LESS* secure with their 
> >passwords.
> This requires an answer that's waaay too long to post here, I've made an 
> attempt (with lots of references to historical docs) in the chapter 
> "Passwords" in http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf (it's 
> easier to post the link than to post large extracts here, since the discussion 
> is fairly in-depth).

Actually, it isn't too large an extract to, basically, make my point:

    Another tenet of best-practice password management is to expire
    passwords at regular intervals and sometimes to enforce some sort of
    timeout on logged-in sessions [64].  Requiring password changes is
    one of those things that many systems do but no-one has any idea
    why.  Purdue professor Gene Spafford thinks this may have its
    origins in work done with a standalone US Department of Defence
    (DoD) mainframe system for which the administrators calculated that
    their mainframe could brute-force a password in x days and so a
    period slightly less than this was set as the password- change
    interval [65].  Like the ubiquitous "Kilroy was here" there are
    various other explanations floating around for the origins of this
    requirement, but in truth no-one really knows for sure where it came
    from.  In fact the conclusion of the sole documented statistical
    modelling of password change, carried out in late 2006, is that
    changing passwords doesn´t really matter ...


Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie at fantasyfarm.com     Pearisburg, VA
    -->  Too many people, too few sheep  <--       

More information about the cryptography mailing list