Re: Please do not change your password

[David LaPorte <david_laporte () HARVARD EDU>]

Enforcing long/complex passwords to "protect" them in the event of a
password store compromise doesn't strike me as the right thing to do.  A
password store compromise is a serious event that requires an immediate
password change by all involved.  That threat is not addressed by overly
strict password complexity or expiration controls.  Moderation in both,
balanced with reasonable lock-out strategies and good monitoring, seem a
far better solution.

It's much easier to find the reminders scattered about (on post-its,
whiteboards, etc) by poor users forced to content with the onerous
constraints placed upon them in the name of "security."

Dave

On 04/14/2010 9:54 AM, Doty, Timothy T. wrote:
> You say that passwords are no longer cracked? Then read up on the compromise
> the Apache folks had where the database of (unsalted) hashed passwords was
> obtained by the hackers. That is only a single case, but it is very recent
> and IMO very relevant. Those 8-char passwords are little better than plain
> text in such a situation.
>
> If the bad guys "just worked around" passwords why would they care to obtain
> a hash list? The argument is short sighted and misses the value of defense
> in depth.
>
> Tim Doty