On 01/17/2015 05:04 PM, Chris Angelico wrote: > Related to that is another reason I've heard: if your password is > figured out by some means other than hash theft [1], there's a maximum > of N days to make use of it. But let's face it, if someone gets hold > of one of your accounts, it won't take long to do serious damage. Even > if it's not a high-profile target like email or banking, a service > with your password known by someone else is a problem *now*, not > "after a month of research" or something. > > Password maximum age is the wrong solution to a few problems, and is > itself a problem. Don't do it.
Most password policies are the wrong solution. They don't seem to increase the time to guess the password given the hash, and they certainly don't physically secure anything, as passwords that have to be changed often and to bizarre notions of upper case, lower case, digits, non-alphanumeric characters, are guaranteed to be written down and pasted to the monitor. Like many of you I use a password manager these days. It's pretty slick. But really it shows the absurdity of the situation. Instead of passwords we should all just use private/public keypairs and store the private keys in a digital wallet. Forget this password garbage with it's 50-70 bits of entropy. Let's go for 2048-bit keys and be done with it, if we're going to require the use of password managers. -- https://mail.python.org/mailman/listinfo/python-list
