[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: No more Bugzilla for me



Jesse Keating <jkeating redhat com> writes:

> There is a theory that changing passwords on a regular bases lessens the
> risk of somebody's password being stolen and used nefariously.
> Depending on the account compromised the damage increases from nuisance
> to legally damaging.  

There is a theory (which I find more credible) that changing passwords
has at best no effect, and at worst increases the risk of somebody's
password being stolen and used nefariously.

People who are forced to change passwords write them down or pick really
crappy passwords based on sequences, or both. If you give me the old
password for a random account, I am fairly sure I can give ten options
for the new password, and 4 out of 5 times one of the options will
match.

Password changes were a defense against brute forcing of the hashed
password. These days you don't allow anyone to access the hashed
password, so that isn't a worry. If someone DID get access to the
hashed password, you have lost anyway, because computers are just too
fast. The password change policy would have to be something like twice a
day.


/Benny


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]