[cryptography] Password non-similarity?

lodewijk andré de la porte lodewijkadlp at gmail.com
Mon Jan 2 17:16:52 EST 2012


The reason for regular change is very good. It's that the low-intensity
brute forcing of a password requires a certain stretch of time. Put the
change interval low enough and you're safer from them.

We've had someone talk on-list about a significant amount of failed remote
ssh login attempts. Should he chose not to force user to change their
passwords they wouldn't. And the likelyhood of a successfull login
would improve with the years (given coordination) to somewhere above the
admin's comfort zone.

The timeframe in which a password has to change also limits the maximum
time exposed once someone has cracked it. This is relevant when the
adversary needs multiple opportunity's to coincide. The amount of time
it'll have access without triggering resource-counting or other
"suspicious behavior" alarms becomes limited, as changing a password would
either lock him or the legitimate user out.

For most systems though, it's a complete waste of time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120102/4ac2ccd2/attachment.html>


More information about the cryptography mailing list