On 1/01/12 03:02 AM, Bernie Cosell wrote:
So what problem _is_ being addressed by requiring passwords to be changed so often [and so inconveniently]?
As far as I can tell, a lot of password threat modelling was pretty much settled in the days before the Internet. In those days, the threats were more what we might now characterise as insider threats - attackers who could watch the users typing in the passwords over the shoulder. Part of that model was that an attacker might need multiple events to pick up the entire password or enough of it to contribute to a breach.
When I was a rough raw teenager doing this, I needed around 2 weeks to pick up 5 letters from someone typing like he was electrified. The other 3 were crunched in 4 hours on a vax780.
Force-changing the password reduces the exposure to shoulder-surfing. In some corporate environments they also see password changes as a way to reduce account sharing, but then users typically fight back with the +1 technique.
Another artifact of those times was the password not displaying visibly on the screen. Mac passwords now show the last letter ... which seems more useful to the attacker than the user, but it is better to encourage any step towards updating a dead threat model. More sophisticated interfaces have a feature to turn on password display.
It is only in recent times that people have started to rethink, and decided the pre-Internet model is unhelpful. Although, the attack model has enjoyed a resurgence with skimming attacks on payment systems, with attackers either being present or mounting cameras above the keypad to catch the finger presses.
iang, hny, fwiw, typing fast... _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
