So you use Passwords Managers, you don't recommend against password expiration because it's "inconvenient"! https://twitter.com/CESG_HMG/status/720932405608124416 …
@khaxan Unless you know all users are using pw managers, expiration decreases security (encouraging users to make trivial algorithmic pw's).
-
-
@RichFelker That's why we implement password policy,complexity,degree of variation against prev pass,I know ppl w/ same easy password 4 yrs -
@khaxan Then you're forcing people to write their pw's down (if not in a real pw manager, on a post-it note). -
@khaxan A long-term pw that doesn't change you can memorize. The N'th one after forced expiration? Good luck... -
@RichFelker I don't need to memorize anything if I'm using a pwd manager, & most users don't bc they use same easy pass 4 everything forever -
@khaxan I agree it's a problem, and best solved by pw managers (except perhaps most-critical pw's that should be strong & memorized only). -
@khaxan But expiration is not necessary if people use pw managers, and I don't see any evidence that it encourages ppl to switch to them. -
@khaxan It very well might encourage ppl to use the same pw across all sites though (switch to common next-pw after old one expires).
End of conversation
New conversation -
-
-
@RichFelker@khaxan By this logic, a requirement for a complex password decreases security:-) -
@RichFelker@khaxan And while at it, writing pw on paper is ok in some cases, pw managers are not always applicable (say, for OS login), -
@RichFelker@khaxan checking that a new pw differs from several previous ones requires storing them (potentially in clear-text), -
@RichFelker@khaxan pw policies reduce keyspace for bruteforcing, etc. It's hard to choose a proper balance between various considerations\ -
@RichFelker@khaxan without fixing your treat model (e.g., if you are concerned with pass-the-hash attacks).
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.