Re: password administration

Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> writes:
> On Thu, Aug 5, 2010 at 2:20 PM, Craig James <craig_james(at)emolecules(dot)com> wrote:
>> A better solution is to implement a password-strength algorithm and require
>> people to select decent passwords to begin with.

> Exactly. If you allow simpler passwords that have to be changed you
> get things like:

> ilovemywife22 md5: b845aec254d018d118fe52c46ee8c98c

> changed to

> ilovemywife23 md5: 8c2b59e4d961478e3a9d5bd94979f329

> You can't tell how close they are by the md5. If you try to prevent
> people from reusing similar passwords, then you have to store either
> the previous passwords (bad security) or something like a soundex of
> the previous password (also bad security.)

A place I know but won't name has a policy of storing your last five
passwords (hopefully in md5'd form, but I don't actually know that) and
not letting you reuse those. Of course this merely encourages people to
use a cycle of six or so passwords, like something they can remember
with one digit tagged on.

The real problem with any such policy is that what you actually want is
for people to use strong passwords that they can remember, and they are
never going to remember a good password if they have to invent a new one
every month. Aforesaid place has an administrative system that I have
to use maybe two or three times a year, with a password change interval
that is shorter than my average time between uses. Am I going to invent
a strong password that I will need to change the very next time I have
use for it? If I take the trouble, will I actually remember it next
time? Not a chance. So I write it down ... and I'm way more security
conscious than most people. Their loss for having a brain-dead password
policy.

regards, tom lane