[Cryptography] Possible reason why password usage rules are such a mess
John Levine
johnl at iecc.com
Wed Mar 4 21:37:54 EST 2020
In article <4762d3eb0785491b8220599f3e59d1c3 at uxcn13-ogg-d.UoA.auckland.ac.nz> you write:
>There has been some speculation in the past over why we have so many cargo-
>cult password security rules that make no sense in any modern context, the
>prime example being the need to change passwords periodically.
In 1979, Ken Thompson and Bob Morris published "Password Security: A
Case History" in the CACM. On the third page is a table showing how
long it takes to do an exhaustive search of passwords for various
lengths and character sets.
I believe some bright bulb figured he'd fix that by forcing people to
change their passwords at a rate faster than the time it took to
search the keyspace. This particular threat model, of a publicly
readable file of encrypted passwords, is specific to Unix systems of a
certain generation, but you'd have to be paying attention to notice
that.
https://spqr.eecs.umich.edu/courses/cs660sp11/papers/10.1.1.128.1635.pdf
More information about the cryptography
mailing list