[Cryptography] Possible reason why password usage rules are such a mess

[Jon Callas]

> On Mar 4, 2020, at 4:16 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> 
> There has been some speculation in the past over why we have so many cargo-
> cult password security rules that make no sense in any modern context, the
> prime example being the need to change passwords periodically.  I've found one
> possible explanation, the Ware Report, which talks about authentication words
> more than passwords, and in a manner in which they resemble military
> countersigns rather than what we'd think of today as passwords:

I think that's a reasonable folk etymology. 

I also think that our conception of password use and how they're guessed has changed, and that has changed the way we look at the problem.

It used to be that the threat model for password guessing was a human sitting at a keyboard guessing things. The model for creating a password was making something that the owner can remember. It also included a model where one might have good reason to tell someone else one's password even though we'd cluck our tongues and shake our heads sadly at that. That resembles authentication words, and changing it forces the person to re-evaluate who they've shared it with.

Today, the threat comes from automated password crackers that have a dictionary of the umpteen gazillion most common passwords. The use model includes password managers. Thus, creating a password with bad human-UX and never changing it is a decent model.

I'll guess that there is at least parallel evolution from authentication words to password policies, if not outright inheritance. 

	Jon