I think there are two things that happen that contribute to phenomena like this:
1. There is a fallacy that I see a lot, particularly in public policy, that goes something like this: Security is a big problem. It won't help, but we have to DO SOMETHING about security, so let's have the passwords expire. I guess that is the same thing as John is saying in his (1) below. 2. Nobody wants to stand up in a staff meeting and argue for "less security," so the imposition of one more security requirement -- no matter how ineffective or lacking in cost effectiveness -- almost always carries the day. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of John Gilmore Sent: Saturday, May 24, 2014 11:41 AM To: [email protected] Subject: Re: Special characters for Passwords Mark, Thank you. I had seen a significantly shorter prepublication draft of the Zhang-Monrose-Reider paper, but I did not know that it had been published. It makes some plausible assumptions. The most important of them is that periodic-expiration requirements typically/very often induce a licit user to construct a sequence of passwords the elements of which are variants of their predecessors, e.g, dorothy0, dorothy1, . . . bin4, din6, fin8, gin10, kin12, pin14, sin16, tin18, . . . and the like. For such 'structured' sequences they shown that knowing an element of such a sequence is so helpful in programmatically deducing/searching for a successor that, in their words, "We believe our study calls into question the merit of continuing the practice of password expiration". Their paper will repay the attention of anyone who is seriously interested in computer security. As readers of my posts on related topics will already know, my view is that password-expiration schemes are one more example, among too many others [like DES and AES], of all but useless schemes that are imposed on user communities by security organizations that 1) are anxious to be seen to be doing something and 2) are not themselves competent to make technical judgments about the usefulness of their impositions. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
