[Cryptography] Possible reason why password usage rules are such a mess

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Mar 4 19:37:48 EST 2020


Jerry Leichter <leichter at lrw.com> writes:

>Much of this stuff is also due to CYA:  If I require this policy that others
>are requiring, it may inconvenience users, but that's someone else's problem.
>If something goes wrong, I can show that I followed "best practices."  On the
>other hand, if I apply my own thinking and things go wrong, the shit will all
>land on me.

I've run into exactly this a number of times.  For example many years ago I
was at a meeting of IT security managers from various government departments
where every single person agreed that forced password changes were a really
dumb idea resulting in inconvenience and reduced security.  Also, every single
person agreed that since the NIST guidelines said you had to do that, they
were going to keep doing it.

Peter.


More information about the cryptography mailing list