Password Reset

[Bruno Wolff III]

On Mon, Mar 09, 2009 at 21:07:43 -0400,
  Tom Lane <tgl at redhat.com> wrote:
> Kevin Kofler <kevin.kofler at chello.at> writes:
> > Why don't we stop requiring these pointless password resets
> > altogether?
> 
> +1 ... it's a demonstrated fact that forcing periodic password changes
> does not improve security.  What it does do is force people to write
> down their passwords so they can remember what's current.

That is going to depend on the threat model. Forcing password resets
can secure accounts where the password has been compromised, but the
user doesn't know it. In practice I am not sure how big of a problem
that is. And changing it may only help temporarily if the method that
compromised the original password is still available.

Writing passwords down may or may not be a big problem. Keeping them
in say your wallet may not be a big risk. If your wallet gets stolen
the person stealing it probably isn't interested in your passwords and
you will have time to deal with the passwords. (For people with kids,
a wallet may not be a safe place to store passwords.) Keeping them
in something like password safe might also work pretty well. If the
machine that you are using to keep the encrypted passwords on is
compromised, then there is a good chance your passwords would have
been snatched even if you were typing them from memory.

What may be a bigger threat here is someone forging messages from Mike
with deceptive URLs that trick people into changing their passwords
using a hostile proxy. Doing things in the current manner is training
people to get fooled.

I don't remember if Mike signed the message, but I don't recall getting
a pgp warning when I read it. (But it's been long enough that I might
have forgotten.) (I checked the url and figured even if the message
was bogus, changing my password at the real FAS site wouldn't hurt.)