On Sun 25 Mar 2018 at 14:06:53 -0400, Roberto C. Sánchez wrote: > On Sun, Mar 25, 2018 at 06:48:15PM +0100, Brian wrote: > > On Sun 25 Mar 2018 at 11:52:13 -0400, rhkra...@gmail.com wrote: > > > > The PIN for my credit card has only four digits. > > > > > * I don't change the passwords as often as I should > > > > There isn't and never has been a need to do this. Passwords don't > > deteriorate with age. > > > I disagree. Forced password changes are annoying and counterproductive,
Those two attributes may be a consequence of forced password changes but are not sufficient to advocate or not advocate such a strategey. > but there is an argument to be made for users periodically changing > their passwords. The Yahoo! data breach, for example, did not become > publically known until long after the breach. Even then, the scope > continued to expand as additional related breaches were discovered that > had taken place even earlier. 1 day after the breach your data had been compromised. Changing your password 10 days later on in your 1 month cycle doesn't seem to me to be reactive security. Better than nothing, I suppose, but closing the door after etc. In any case, your 20 character, high entropy password was your ultimate defence. (Not unless Yahoo! didn't hash). > There are some sites which force me to change my password periodically > and find them annoying because the passwords do not protect anything > important enough to warrant that. On the other hand, there are some > sites where I regularly change my password to guard against a hacker > gaining continuing access to my account/data following a breach. If I had so little confidence in the password hashing procedures at the site I might do the same. My problem would then come down to predicting when a likely breach would occur. -- Brian. > > While you are right that passwords do not deteriorate, they do get > compromised. The last few years have shown that it happens with rather > shocking regularity. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez >