>> I finally realized, that's so when the organization gets pwn3d, you >> won't have used the stolen passwords anywhere else. Or maybe they >> imagine that if your password is stolen somewhere else, you won't have >> changed all the passwords at the same time. > >Really? So you're proposing *cross*site* non-reuse? How does that work? >If you make me change passwords, and many sites do that, what incentive >is there to do anything other than use the same password [or a trivial >mod] for each?
I didn't say this was a particularly good rationale, just that the idea is that your password won't be exactly the same as the one they used other places, because their password rules are so stringent. >> There's also the backup tape that fell off a truck issue, ... >but I don't understand again: if that happens, then presumably the IT >folk *know* and _then_ you can make everyone change their passwords [at >least for a reason]. How would they know if the tape fell off the truck? When it gets to the offsite vault, do you really think they carefully count the number of tapes in each incoming box and compare it to some manifest? And if they don't match, is the count or the manifest more likely to be wrong? Again, I don't think this is a particularly compelling argument, but backup media do get lost from time to time, and people often don't notice until they look for it and can't find it. R's, John _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
