Editing Talk:936: Password Strength
Please sign your posts with ~~~~ |
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 43: | Line 43: | ||
This comic was mentioned in a TED talk by Lorrie Faith Cranor on in March 2014. After performing a lot of studies and analysis, she concludes that "pass phrase" passwords are no easier to remember than complex passwords and that the increased length of the password increases the number of errors when typing it. There is a lot of other useful information from her studies that can be gleaned from the talk. [http://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd Link]. What she doesn't mention is the frequency of changing passwords - in most organizations it's ~90 days. I don't know where that standard originated, but (as a sys admin) I suspect it's about as ineffective as most of our other password trickery - that is that it does nothing. Today's password thieves don't bash stolen password hash tables, they bundle keyloggers with game trainers and browser plugins.--[[Special:Contributions/173.245.50.75|173.245.50.75]] 18:14, 2 July 2014 (UTC) | This comic was mentioned in a TED talk by Lorrie Faith Cranor on in March 2014. After performing a lot of studies and analysis, she concludes that "pass phrase" passwords are no easier to remember than complex passwords and that the increased length of the password increases the number of errors when typing it. There is a lot of other useful information from her studies that can be gleaned from the talk. [http://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd Link]. What she doesn't mention is the frequency of changing passwords - in most organizations it's ~90 days. I don't know where that standard originated, but (as a sys admin) I suspect it's about as ineffective as most of our other password trickery - that is that it does nothing. Today's password thieves don't bash stolen password hash tables, they bundle keyloggers with game trainers and browser plugins.--[[Special:Contributions/173.245.50.75|173.245.50.75]] 18:14, 2 July 2014 (UTC) | ||
− | |||
− | |||
:Password-changing frequency isn't about making passwords more ''secure'', but instead it's about ''mitigating the damage'' of a successfully cracked password. If a hacker gets your password (through any means) and your password changes every 90 days, the password the hacker has obtained is only useful for a few months at most. That might be enough, but it might not. If the hacker is brute forcing the passwords to get them, that cuts into the time the password is useful. --[[Special:Contributions/173.245.54.168|173.245.54.168]] 22:22, 13 October 2014 (UTC) | :Password-changing frequency isn't about making passwords more ''secure'', but instead it's about ''mitigating the damage'' of a successfully cracked password. If a hacker gets your password (through any means) and your password changes every 90 days, the password the hacker has obtained is only useful for a few months at most. That might be enough, but it might not. If the hacker is brute forcing the passwords to get them, that cuts into the time the password is useful. --[[Special:Contributions/173.245.54.168|173.245.54.168]] 22:22, 13 October 2014 (UTC) | ||
::However, brute-forcing gets much ''easier'' that way. | ::However, brute-forcing gets much ''easier'' that way. |