On Sun 25 Mar 2018 at 22:43:26 +0200, Ángel wrote: > On 2018-03-25 at 19:47 +0100, Brian wrote: > > 1 day after the breach your data had been compromised. Changing your > > password 10 days later on in your 1 month cycle doesn't seem to me to > > be reactive security. Better than nothing, I suppose, but closing the > > door after etc. > > > > In any case, your 20 character, high entropy password was your ultimate > > defence. (Not unless Yahoo! didn't hash). > > > Sure. If someone stole your password, be that by compromising and > injecting a password-stealing javascript server side, due to a sslstrip > you didn't notice on that free wifi, perhaps just someone looking at the > keys you pressed when entering your password, etc. the data you had up > to that point in that service should be considered compromised. > > However, if the password was changed N days/months later, as part of a > periodic password change, that would mean that data processed after that > date would no longer be in risk, whereas otherwise the account would > continue being accessible by the bad actors for years (assuming that you > are not using a pattern that removes the benefit or rotating the > password!).
I would be more accepting of this argument if it fitted with real world examples in other fields. Nobody offers the advice to change the locks on your front door or your car at regular intervals. But the computer security business has conjured up the "what if" argument to counteract commensense. -- Brian.
