Mark, Thank you. I had seen a significantly shorter prepublication draft of the Zhang-Monrose-Reider paper, but I did not know that it had been published.
It makes some plausible assumptions. The most important of them is that periodic-expiration requirements typically/very often induce a licit user to construct a sequence of passwords the elements of which are variants of their predecessors, e.g, dorothy0, dorothy1, . . . bin4, din6, fin8, gin10, kin12, pin14, sin16, tin18, . . . and the like. For such 'structured' sequences they shown that knowing an element of such a sequence is so helpful in programmatically deducing/searching for a successor that, in their words, "We believe our study calls into question the merit of continuing the practice of password expiration". Their paper will repay the attention of anyone who is seriously interested in computer security. As readers of my posts on related topics will already know, my view is that password-expiration schemes are one more example, among too many others [like DES and AES], of all but useless schemes that are imposed on user communities by security organizations that 1) are anxious to be seen to be doing something and 2) are not themselves competent to make technical judgments about the usefulness of their impositions. John Gilmore, Ashland, MA 01721 - USA ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
