At 10:17 2017-05-05, Ken Dibble krdibble@stny.rr.com wrote:
What I've been saying for years ....
From the O'Reilly Security Newsletter:
https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we...
- Forcing people to frequently change passwords is not helpful. It
just makes it more likely that they will stick the password on a Post-IT on their monitors because they can't remember it.
It does help some. If someone has your password but has not changed it, because it would alert you, and you change your password, he no longer has access. (Yes, he could possibly break in again.) If security is upped on the system he has access to and he has your password, the security improvement does not help you at all.
- Imposed password complexity does not help either (As I keep
telling people, the only way that a user can make his/her password harder to "guess" in the modern age is to make it longer. It is just as easy for a brute-force botnet application to "guess"#51aQ4@5)?" as it is to guess "YourMomma!")
What about a dictionary attack? dictionary.com has both "your" and "momma", but it does not have "#51aQ4@5)?".
Maybe I should start my own security newsletter....
Sincerely,
Gene Wirchenko