[Cryptography] Possible reason why password usage rules are such a mess
Gary Gapinski
cryptography at garygapinski.com
Wed Mar 4 21:07:21 EST 2020
On 3/4/20 7:16 AM, Peter Gutmann wrote:
> There has been some speculation in the past over why we have so many cargo-
> cult password security rules that make no sense in any modern context, the
> prime example being the need to change passwords periodically.
That password expiration tenet remains stubbornly and execrably
contemporary. I think it must presume inevitable password compromise, or
uncompromising hostility toward users of passwords.
I tried to find a credible cult genesis and did not have much luck,
perhaps because it antedates the Internet Rapture. There was an unnamed
circa 1980s reference mentioned in an article¹. Peculiarly, the cited
(likely version 1.0) NIST SP 800-63² in the article does not mention
password expiry. A later NIST draft SP 800-118³ had thirty-three text
references to password expiration beginning with one which allows that
expiry is common, beneficial, ineffectual, and despised. NIST did not
recommend against password (memorized secret authenticator) expiry until
SP 800-63 revision 3⁴.
¹
https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118
²
https://csrc.nist.gov/CSRC/media/Publications/sp/800-63/ver-10/archive/2004-06-30/documents/sp800-63-v1-0.pdf
³
https://csrc.nist.gov/csrc/media/publications/sp/800-118/archive/2009-04-21/documents/draft-sp800-118.pdf
⁴ https://pages.nist.gov/800-63-3/sp800-63b.html#-511-memorized-secrets
More information about the cryptography
mailing list