Hello World

Chris Angelico rosuav at gmail.com
Sun Jan 18 01:04:57 CET 2015


On Sun, Jan 18, 2015 at 10:46 AM, Steven D'Aprano
<steve+comp.lang.python at pearwood.info> wrote:
> The merely poor reason given by the more thoughtful sys admins is, if the
> password hashes get stolen, the hacker has a maximum of N days (and
> possibly less) to crack the hashes and recover the passwords before they
> get changed. That's okay as far as it goes, but it's the wrong solution for
> the problem.

Related to that is another reason I've heard: if your password is
figured out by some means other than hash theft [1], there's a maximum
of N days to make use of it. But let's face it, if someone gets hold
of one of your accounts, it won't take long to do serious damage. Even
if it's not a high-profile target like email or banking, a service
with your password known by someone else is a problem *now*, not
"after a month of research" or something.

Password maximum age is the wrong solution to a few problems, and is
itself a problem. Don't do it.

ChrisA

[1] eg http://xkcd.com/792/



More information about the Python-list mailing list