torriem at gmail.com
Sun Jan 18 03:13:56 CET 2015
On 01/17/2015 05:04 PM, Chris Angelico wrote:
> Related to that is another reason I've heard: if your password is
> figured out by some means other than hash theft , there's a maximum
> of N days to make use of it. But let's face it, if someone gets hold
> of one of your accounts, it won't take long to do serious damage. Even
> if it's not a high-profile target like email or banking, a service
> with your password known by someone else is a problem *now*, not
> "after a month of research" or something.
> Password maximum age is the wrong solution to a few problems, and is
> itself a problem. Don't do it.
Most password policies are the wrong solution. They don't seem to
increase the time to guess the password given the hash, and they
certainly don't physically secure anything, as passwords that have to be
changed often and to bizarre notions of upper case, lower case, digits,
non-alphanumeric characters, are guaranteed to be written down and
pasted to the monitor.
Like many of you I use a password manager these days. It's pretty
slick. But really it shows the absurdity of the situation. Instead of
passwords we should all just use private/public keypairs and store the
private keys in a digital wallet. Forget this password garbage with
it's 50-70 bits of entropy. Let's go for 2048-bit keys and be done with
it, if we're going to require the use of password managers.
More information about the Python-list