No more Bugzilla for me

Tomas Mraz tmraz at redhat.com
Wed Apr 22 07:25:54 UTC 2009


On Wed, 2009-04-22 at 09:12 +0200, Benny Amorsen wrote:
> Jesse Keating <jkeating at redhat.com> writes:
> 
> > There is a theory that changing passwords on a regular bases lessens the
> > risk of somebody's password being stolen and used nefariously.
> > Depending on the account compromised the damage increases from nuisance
> > to legally damaging.  
> 
> There is a theory (which I find more credible) that changing passwords
> has at best no effect, and at worst increases the risk of somebody's
> password being stolen and used nefariously.
> 
> People who are forced to change passwords write them down or pick really
> crappy passwords based on sequences, or both. If you give me the old
> password for a random account, I am fairly sure I can give ten options
> for the new password, and 4 out of 5 times one of the options will
> match.
> 
> Password changes were a defense against brute forcing of the hashed
> password. These days you don't allow anyone to access the hashed
> password, so that isn't a worry. If someone DID get access to the
> hashed password, you have lost anyway, because computers are just too
> fast. The password change policy would have to be something like twice a
> day.

Simply +1

There are methods by which you can improve/lower the risk of
long-time-ago stolen passwords but enforcing frequent password changes
is not among them.

You can for example display IP address and last login time of the user
when he logs in. You can also e-mail notifications to the account holder
about logins for example when the IP address which tries to login
changes.

Also expiration of accounts can be handled differently - for example an
account is marked as expired if it was not used for a long time and
using the expired account would send an e-mail to the account holder
requiring him to verify by visiting an unique URL that his access is
legitimate.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb




More information about the fedora-devel-list mailing list