>>Even more off topic - why do people think regular password expiry improves >>system security (as opposed to enforcing a password complexity constraint)? > > i think the UNIX security paper discussed that. > (F. Grampp and R. Morris, "UNIX Operating System Security", BSTJ, Vol. 62, No > . 8,. 1984)
still a ppv (springer) article. so without the benefit of reading it .... maybe the choice is false. if you use the same password for 12 months or 12 passwords for one month, then your 12-month password needs to be 12 times harder to crack, assuming you're defending against the same assumed attack rate. okay, maybe you're using something with 160 random bits. no way to crack that (play along, please), but the 160 bits might be leaked. in that case you need to be 12x more careful with a 1 month password than a 12 month password, assuming that one is equally likely to leak one's password on any given day. otoh, the chance of recovering encrypted backups is inversely proportial to the number of passwords you've used. :-) - erik
