>Yes; of course if most of those accounts are moribund and unused then you >don't need >to change them so often, but the passwords you use frequently should be >changed at >regular intervals. > >It's pretty commonsensical once the threat is understood.
Given that most compromised passwords these days are stolen by malware or phishing, I'm not understanding the threat, unless you're planning to change passwords more frequently than the interval between malware stealing your password and the bad guys using it. I agree that keeping a big file of unsalted hashes is a dumb idea, but there isn't much that users can do about services so inept as to do that. R's, John
