Slashdot Mirror

← Back to Stories (view on slashdot.org)

Please Do Not Change Your Password

Posted by CmdrTaco on from the my-password-is-trustno1 dept.

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

2 of 497 comments (clear)

  1. Re:The best password is: by danomac · · Score: 5, Informative

    For those that don't know where that comes from, it's a bash quote.

  2. Re:Please let me use the same password by Bearhouse · · Score: 5, Informative

    And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.

    Indeed. Similar to the Enigma: http://en.wikipedia.org/wiki/Enigma_machine
    Where a misguided decision was taken to never let a character be encoded to itself. This actually weakened the cypher: http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma