[cryptography] Password non-similarity?

Randall Webmail rvh40 at insightbb.com
Sun Jan 1 00:11:27 EST 2012


From: Kevin W. Wall <kevin.w.wall at gmail.com>

>Or whatever. The misconception is of course, that this
>truly is "best practice". Pretty sure that it's some CYA
>policy along this line that is driving this. And IT has learned
>it's just easy to implement whatever legal requests than to
>argue the rationality of the decision with their legal department.

Legal is staffed by lawyers, whose first or second concern is mitigation of risk to the organization, and whose second or first concern is mitigation of risk to the lawyer making the calls.

If IT says passwords should be changed every thirty days, Legal is gonna say that passwords should be changed every thirty days.




More information about the cryptography mailing list