On 31 Dec 2011 at 15:17, John Levine wrote: > You can't force people to invent and memorize an endless stream of > unrelated strong passwords.
I'm not sure I agree with this phrasing. It is easy to memorize a strong password -- it just has to be long enough. The problem as I see it is that way too many systems use a way-too-short password and then try to make it 'strong' by larding it up with being-random and including punctuation marks and junk like that. I teach an information security class and in it I argue that *LONG* is the most important criterion for having a password be strong _and_effective_. Randall had it exactly right, IMO: <http://xkcd.com/936/> > The more often you make people change passwords, the less effort they > are willing to put into each password, so you can be absolutely sure > that if you demand a new password every month, they will use dog+digit > or whatever is the easiest way to get a password that will let them > log in and get their fripping job done. I agree. One thing we discussed in class [to no real resolution] is what vulnerability is being addressed by requiring passwords to be changed [much less changed and not allowing reuse]. With systems confirming your 'last login' when you authenticate, the vulnerability of an attacker using your account for a long time without your knowing [and so being able to do something about it] doesn't seem like a big risk. With systems limiting failed logins [and using other secondary-authentications, e.g., for logins from a new IP addr], brute force seems like it isn't much of a risk. There *IS* a risk of a major breach at the server compromising the entire user password-DB [at which point it can be brute-forced at the attacker's leisure], but that's unlikely [IMO] to go unnoticed and so, too, doesn't seem like a big risk. So what problem _is_ being addressed by requiring passwords to be changed so often [and so inconveniently]? /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:[email protected] Pearisburg, VA --> Too many people, too few sheep <-- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
