[Cryptography] Possible reason why password usage rules are such a mess
Kent Borg
kentborg at borg.org
Wed Mar 4 13:28:35 EST 2020
On 3/4/20 7:16 AM, Peter Gutmann wrote:
> There has been some speculation in the past over why we have so many cargo-
> cult password security rules that make no sense in any modern context, the
> prime example being the need to change passwords periodically. I've found one
> possible explanation, the Ware Report, which talks about authentication words
> more than passwords, and in a manner in which they resemble military
> countersigns rather than what we'd think of today as passwords:
I would think that is a big part of why we started down this path.
Why have we persisted? I figured is a combination of:
- Some guy at the dawn of (computer) time saying "change passwords" (and
he regrets it to this day, I forget his name),
- Computer people (whether they know it or not) being deeply traditional,
- Computer users being deeply superstitious and afraid, and
- Few people willing to foolishly spend personal political capital to
tilt at conventional wisdom. ("We have been using Best Practices here,
what kind of practices are /you/ proposing?")
-kb, the Kent who periodically rails against the conventional wisdom
that ssh keys are better than ssh passwords, because he is a fool who
insists fools are occasionally right.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200304/1634ea0f/attachment.htm>
More information about the cryptography
mailing list