- Forcing people to frequently change passwords is not helpful. It
just makes it more likely that they will stick the password on a Post-IT on their monitors because they can't remember it.
It does help some. If someone has your password but has notchanged it, because it would alert you, and you change your password, he no longer has access. (Yes, he could possibly break in again.) If security is upped on the system he has access to and he has your password, the security improvement does not help you at all.
- Imposed password complexity does not help either (As I keep
telling people, the only way that a user can make his/her password harder to "guess" in the modern age is to make it longer. It is just as easy for a brute-force botnet application to "guess"#51aQ4@5)?" as it is to guess "YourMomma!")
What about a dictionary attack? dictionary.com has both"your" and "momma", but it does not have "#51aQ4@5)?".
Maybe I should start my own security newsletter....
Read the article. The data does not support the contention that these are important enough vectors to justify the downside that these recommendations have for users.
Anybody who's got a dictionary, by now, also has a brute-force "guessing machine" and a botnet. Yup, they get through the dictionary in a few seconds. Within only a few more minutes, the botnet loops through every possible combination of characters in a 10-character password, and then they move on to 11 characters. The only thing that slows them down at all is a much longer password, and the only really effective defense involves measures on the server side. There is very little that a user can do to a password to make it significantly safer in the modern age, and there is huge amount of aggravation that can be caused to users over passwords that, in the end, has very little benefit.
This isn't just me, or just me and O'Reilly. Now it's me, O'Reilly, and the NIST.
Of course, I know, I'm a low-status person. No matter how right I am. or how often I am right, nobody listens to me until a high-status person repeats what I said.
I am just enjoying the gratification of being proven right.
Ken