[Cryptography] Possible reason why password usage rules are such a mess
Howard Chu
hyc at symas.com
Thu Mar 5 16:35:27 EST 2020
Radia Perlman wrote:
> On Wed, Mar 4, 2020 at 9:58 AM Peter Gutmann <pgut001 at cs.auckland.ac.nz <mailto:pgut001 at cs.auckland.ac.nz>> wrote:
>
> There has been some speculation in the past over why we have so many cargo-
> cult password security rules that make no sense in any modern context, the
> prime example being the need to change passwords periodically.
>
>
> I've never heard a good technical explanation for requiring periodic password changes, but wouldn't all the arguments about why it's silly to require frequent
> password changes apply to requiring certificate renewals? (and while we're at it, though I don't want to distract from the "why must certificates be
> periodically renewed" question...why does my driver's license, which proves who I am, not work for getting on an airplane if the license is expired...I can
> understand if they won't let me fly the plane with an expired driver's license, but I'm just planning on being a passenger.)
This one is easy - you can't travel with an expired photo ID because the possibility
exists that someone else is already traveling with the valid ID.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the cryptography
mailing list