[cryptography] Password non-similarity?

Von Welch von at vonwelch.com
Mon Jan 2 10:01:47 EST 2012


> Bernie Cosell <bernie at fantasyfarm.com> writes:
>> On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
>>> Yes, ideally people would have a separate, strong password, changed
>>> regularly for every site.
>> 
>> This is the very question I was asking: *WHY* "changed regularly?  What 
>> threat/vulnerability is addressed by regularly changing your password?  I 
>> know that that's the standard party line [has been for decades and is 
>> even written into Virginia's laws!], but AFAICT it doesn't do much of 
>> anything other than encourage users to be *LESS* secure with their 
>> passwords.

I was discussing this question of why "regularly force password changes" of a colleague who was responsible for security at a large University and his answer was you want to force undergraduates to change their passwords at a frequency that approximately matches the length of the average undergraduate romantic relationship. The implication being they tended to share the passwords with their boy/girlfriend and the forced change reduced the post-break up issues IT had to deal with.

That anecdote aside, I agree this is a piece of advice that needs to go (along with password masking and other carry overs from the days of computers being rare and solely in centralized labs).

Von

On Dec 31, 2011, at 5:02 PM, Peter Gutmann wrote:

> Bernie Cosell <bernie at fantasyfarm.com> writes:
>> On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
>>> Yes, ideally people would have a separate, strong password, changed
>>> regularly for every site.
>> 
>> This is the very question I was asking: *WHY* "changed regularly?  What 
>> threat/vulnerability is addressed by regularly changing your password?  I 
>> know that that's the standard party line [has been for decades and is 
>> even written into Virginia's laws!], but AFAICT it doesn't do much of 
>> anything other than encourage users to be *LESS* secure with their 
>> passwords.
> 
> This requires an answer that's waaay too long to post here, I've made an 
> attempt (with lots of references to historical docs) in the chapter 
> "Passwords" in http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf (it's 
> easier to post the link than to post large extracts here, since the discussion 
> is fairly in-depth).
> 
> If there's anything I've missed or overlooked in that, let me know.
> 
> Peter.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography




More information about the cryptography mailing list