Tuesday, May 01, 2012

Passwords

Typical password advice points out changing it regularly, say like in 90 days. But for what reasons?
If the problem is linearly going login cracking (either brute or dictionary), then nothing points that password changed might actually be weaker. E.g if it is nnn and cracking starts from a, and user changes it to klm. Then it is cracked faster.
If is hash cracking, then the potentially crackeds password usage lifetime is shorter.
So the whole setting is for assumption that hashed passwords are stolen?
Why there is no password policy, which checks the length of password(or complexity) and rewards user with longer lifetime - this probably could lessen servicedesk tickets for forgotten passwords, users might selct better passwords since they would not collect so much historial garbage etc.
- Posted using BlogPress from my iPad