On Sun, Jan 18, 2015 at 10:46 AM, Steven D'Aprano <steve+comp.lang.pyt...@pearwood.info> wrote: > The merely poor reason given by the more thoughtful sys admins is, if the > password hashes get stolen, the hacker has a maximum of N days (and > possibly less) to crack the hashes and recover the passwords before they > get changed. That's okay as far as it goes, but it's the wrong solution for > the problem.
Related to that is another reason I've heard: if your password is figured out by some means other than hash theft [1], there's a maximum of N days to make use of it. But let's face it, if someone gets hold of one of your accounts, it won't take long to do serious damage. Even if it's not a high-profile target like email or banking, a service with your password known by someone else is a problem *now*, not "after a month of research" or something. Password maximum age is the wrong solution to a few problems, and is itself a problem. Don't do it. ChrisA [1] eg http://xkcd.com/792/ -- https://mail.python.org/mailman/listinfo/python-list
