No more Bugzilla for me
Benny Amorsen
benny+usenet at amorsen.dk
Wed Apr 22 07:12:42 UTC 2009
Jesse Keating <jkeating at redhat.com> writes:
> There is a theory that changing passwords on a regular bases lessens the
> risk of somebody's password being stolen and used nefariously.
> Depending on the account compromised the damage increases from nuisance
> to legally damaging.
There is a theory (which I find more credible) that changing passwords
has at best no effect, and at worst increases the risk of somebody's
password being stolen and used nefariously.
People who are forced to change passwords write them down or pick really
crappy passwords based on sequences, or both. If you give me the old
password for a random account, I am fairly sure I can give ten options
for the new password, and 4 out of 5 times one of the options will
match.
Password changes were a defense against brute forcing of the hashed
password. These days you don't allow anyone to access the hashed
password, so that isn't a worry. If someone DID get access to the
hashed password, you have lost anyway, because computers are just too
fast. The password change policy would have to be something like twice a
day.
/Benny
More information about the devel
mailing list