On Sat, Dec 31, 2011 at 4:44 PM, John Levine <jo...@iecc.com> wrote: >>This is the very question I was asking: *WHY* "changed regularly? What >>threat/vulnerability is addressed by regularly changing your password? > > I finally realized, that's so when the organization gets pwn3d, you > won't have used the stolen passwords anywhere else. Or maybe they > imagine that if your password is stolen somewhere else, you won't have > changed all the passwords at the same time. Sadly, I'm a poster child for reuse and stolen passwords. When GNU's Savannah was broken into [1], Google had to suspend an alternate GMail account due to spamming. I used the same password under GNU and GMail (and the GMail account name was easily guessable - jeffrey.w.walton). The password was non-trivial - 8 characters, upper/lower, three numbers, and one symbol.
+1 to GNU, Mailman, and their data security practices (plain text and unsalted MD5 secrets). +1 to me for reuse. I no longer use passwords for Mailman (let them pick their own throw away password), I no longer reuse passwords, and I try not to use guessable account names (unavoidable when corporate email addresses are assigned). Jeff [1] http://www.theregister.co.uk/2010/12/01/gnu_savannah_hacked/ _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography