On 31 Dec 2011 at 21:44, John Levine wrote: > >This is the very question I was asking: *WHY* "changed regularly? What > >threat/vulnerability is addressed by regularly changing your password? > > I finally realized, that's so when the organization gets pwn3d, you > won't have used the stolen passwords anywhere else. Or maybe they > imagine that if your password is stolen somewhere else, you won't have > changed all the passwords at the same time.
Really? So you're proposing *cross*site* non-reuse? How does that work? If you make me change passwords, and many sites do that, what incentive is there to do anything other than use the same password [or a trivial mod] for each? > There's also the backup tape that fell off a truck issue, but it's a > pretty lame organization who decides to push that risk onto the > million users rather than the three IT guys who should be managing the > database and backup passwords and related security. but I don't understand again: if that happens, then presumably the IT folk *know* and _then_ you can make everyone change their passwords [at least for a reason]. /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:[email protected] Pearisburg, VA --> Too many people, too few sheep <-- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
