Password expiry mitigation

Talk about internet security, computer security, personal security, your social security number...
Post Reply
User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Password expiry mitigation

Post by Thrawn » Tue Feb 02, 2016 10:34 pm

I recently realised that the pain of password expiry has an upside: if you actually generate good passwords every time (ie using a real source of randomness, not your own imagination), and if you keep records of all those passwords (and everyone who cares about passwords should really have encrypted storage of some kind), then whenever you come across a site where you need to sign up to something, you have a ready-made list of strong passwords that you no longer use anywhere sensitive, but that your fingers are trained to type.

To be clear, I think that password expiry is, in general, a poorly-conceived response to a small part of the overall problem. But since it exists, this is one way to make it less awful. Has anyone else experienced this?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0

barbaz
Senior Member
Posts: 9145
Joined: Sat Aug 03, 2013 5:45 pm

Re: Password expiry mitigation

Post by barbaz » Tue Feb 02, 2016 10:44 pm

Never done that - but then again, I don't know if I can always trust that sites would really erase my old, expired passwords, and what's to say that some MITM hasn't de-crypted some SSLv2 or SSLv3 traffic grabbed off me from back when that was the standard, and thus have my old password(s)? Image

Not every webmaster is like Giorgio in terms of privacy and the like.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Password expiry mitigation

Post by Thrawn » Wed Feb 03, 2016 3:08 am

:D Well, in my case, the source of expired passwords is my workplace. So the attack scenario would be that someone breaks into my employer's servers, steals old password hashes, cracks them, and uses them to...impersonate me when commenting on blogs. Yeah, not especially scared by that risk.

I wouldn't reuse expired passwords in the other direction, of course.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0

Post Reply