[Cryptography] Possible reason why password usage rules are such a mess

[Kent Borg]

On 3/4/20 7:16 AM, Peter Gutmann wrote:
> There has been some speculation in the past over why we have so many cargo-
> cult password security rules that make no sense in any modern context, the
> prime example being the need to change passwords periodically.  I've found one
> possible explanation, the Ware Report, which talks about authentication words
> more than passwords, and in a manner in which they resemble military
> countersigns rather than what we'd think of today as passwords:

I would think that is a big part of why we started down this path.

Why have we persisted? I figured is a combination of:

- Some guy at the dawn of (computer) time saying "change passwords" (and 
he regrets it to this day, I forget his name),

- Computer people (whether they know it or not) being deeply traditional,

- Computer users being deeply superstitious and afraid, and

- Few people willing to foolishly spend personal political capital to 
tilt at conventional wisdom. ("We have been using Best Practices here, 
what kind of practices are /you/ proposing?")


-kb, the Kent who periodically rails against the conventional wisdom 
that ssh keys are better than ssh passwords, because he is a fool who 
insists fools are occasionally right.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200304/1634ea0f/attachment.htm>