Re: Dear Linkedin,

[Alec Muffett <alec.muffett () gmail com>]

> Does anybody have a good URL explaining that idea?  It's been kicking around 
> for many years.  I've never seen a convincing writeup.

I've tried to do that in another mail - it's in the realms of philosophy more than strategy; like if you're a really 
security-aware person and take great care you can probably stretch the useful life of a password out to _years_ - but 
how typical are *you* in that instance?

> Does your bank request/require that you change the PIN on your ATM card every 
> few months?

ATM cards are not passwords, they are a coarse form of two-factor authentication - You have the card, you have the PIN. 
 

You have to possess both in order to transact - at least in in theory.

Compare that with the secrecy surrounding the CVV - the "last three digits on the number on the back of the card" which 
you are "not meant to tell anyone" and which _will_ be different if your card is lost/stolen and reissued.

Now _that_ is a password.

> Security is a tradeoff.  I think there are two cases for passwords.  I'll 
> call them important and junk.  I'm willing to store the junk ones in a file 
> or piece of paper that I'm careful with.  I have to memorize the important 
> ones.

You know, that's not bad.  I am pro-paper for long passwords.  I am even-more pro "password safes".

> I'm only smart enough to memorize a few good passwords.  If I change them 
> every few months, they will be less good, or fewer of them.

It's harder as we get old.  Use technology to aid with the heavy lifting.  :-)

        -a