[email protected] (John Gilmore) writes: > The rationale for changing passwords is not that doing so makes > brute-force attempts to determine their values more difficult. > > It is that these password values may come to be known in one way or > another and that changing them periodically eliminates the usefulness > of these known passwords. > > There are war stories, anecdotal evidence, that this is sometimes the > case; but I know of no systematic study of the effectiveness of > periodic-password-change rules. Much of the rationale for them is of > a different kind: their enforcement demonstrates that the group > responsible for security is 'pro-active', doing something.
The Man Who Invented The Computer Password Admits That It's Become A Nightmare http://www.businessinsider.com/inventor-of-the-password-2014-5 back in the days of CTSS on ibm 7094. Then Corbato and some of the other CTSS people went to the 5th flr of 545 tech sq and did Multics. Others went to the IBM Science Center (founded Feb1964) on the 4th flr and did (virtual machine) cp40/cms, cp67/cms (which morphs into vm370/cms), internal network, invented GML in 1969 (a decade later morphs into SGML, and after another decade morphs into HTML) and lots of other stuff. some past posts mentioning 545tech sq http://www.garlic.com/~lynn/subtopic.html#545tech passwords are a form of shared secrets for authentication, they are static data and subject to "replay attacks" (if information is ever exposed). Fixing would require authentication that isn't 1) shared secret, 2) static/repeated, 3) and still unique back in the 60s, somebody might have had only a single password. then came security departments that not only wanted them changed once a month (as countermeasure to replay attack) but also impossible to guess (as countermeasure to trivial brute force attack). The problem is now that an individual might have hundreds of impossible to guess shared-secrets that are changed monthly ... each institutional security organization operating as if they are the only entity that the individual has to authenticate with (but human factors start to break down as soon as there are a dozen). disclaimer: in prior life my wife and I had dozens of (assigned) patents on the subject. -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
