Bernie Cosell <[email protected]> writes: >On 31 Dec 2011 at 15:30, Steven Bellovin wrote: >> Yes, ideally people would have a separate, strong password, changed >> regularly for every site. > >This is the very question I was asking: *WHY* "changed regularly? What >threat/vulnerability is addressed by regularly changing your password? I >know that that's the standard party line [has been for decades and is >even written into Virginia's laws!], but AFAICT it doesn't do much of >anything other than encourage users to be *LESS* secure with their >passwords.
This requires an answer that's waaay too long to post here, I've made an attempt (with lots of references to historical docs) in the chapter "Passwords" in http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf (it's easier to post the link than to post large extracts here, since the discussion is fairly in-depth). If there's anything I've missed or overlooked in that, let me know. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
