On Mon, Mar 26, 2018 at 08:34:28PM +0100, Brian wrote: > On Sun 25 Mar 2018 at 22:43:26 +0200, Ángel wrote: > > > On 2018-03-25 at 19:47 +0100, Brian wrote: > > > 1 day after the breach your data had been compromised. Changing your > > > password 10 days later on in your 1 month cycle doesn't seem to me to > > > be reactive security. Better than nothing, I suppose, but closing the > > > door after etc. > > > > > > In any case, your 20 character, high entropy password was your ultimate > > > defence. (Not unless Yahoo! didn't hash). > > > > > > Sure. If someone stole your password, be that by compromising and > > injecting a password-stealing javascript server side, due to a sslstrip > > you didn't notice on that free wifi, perhaps just someone looking at the > > keys you pressed when entering your password, etc. the data you had up > > to that point in that service should be considered compromised. > > > > However, if the password was changed N days/months later, as part of a > > periodic password change, that would mean that data processed after that > > date would no longer be in risk, whereas otherwise the account would > > continue being accessible by the bad actors for years (assuming that you > > are not using a pattern that removes the benefit or rotating the > > password!). > > I would be more accepting of this argument if it fitted with real world > examples in other fields. Nobody offers the advice to change the locks > on your front door or your car at regular intervals. But the computer > security business has conjured up the "what if" argument to counteract > commensense. > It's pretty difficult to steal someone's keys without them realising it has happened. In contrast, password compromise happens without the victim's knowledge all the time.
Mark