>The standard rationale is that for any given time interval, there's a >non-zero probability that a given password has been compromised. At >some point, the probability is high enough that it's a real risk.
Sure, but where does that probability come from? (Various tactless anatomical guesses elided here.) If the probability is low enough the replacement interval could be greater than the lifetime of the system. I see they relate it to the guess rate, so I'd rather limit that then push costs on users and force them to rotate passwords. R's, John PS: Masking passwords as they're typed made a lot of sense on an ASR-33. Is this another throwback? _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
