[Cryptography] Possible reason why password usage rules are such a mess

John Levine johnl at iecc.com
Wed Mar 4 21:37:54 EST 2020


In article <4762d3eb0785491b8220599f3e59d1c3 at uxcn13-ogg-d.UoA.auckland.ac.nz> you write:
>There has been some speculation in the past over why we have so many cargo-
>cult password security rules that make no sense in any modern context, the
>prime example being the need to change passwords periodically.

In 1979, Ken Thompson and Bob Morris published "Password Security: A
Case History" in the CACM.  On the third page is a table showing how
long it takes to do an exhaustive search of passwords for various
lengths and character sets.

I believe some bright bulb figured he'd fix that by forcing people to
change their passwords at a rate faster than the time it took to
search the keyspace.  This particular threat model, of a publicly
readable file of encrypted passwords, is specific to Unix systems of a
certain generation, but you'd have to be paying attention to notice
that.


https://spqr.eecs.umich.edu/courses/cs660sp11/papers/10.1.1.128.1635.pdf



More information about the cryptography mailing list