Page 1 of 1

Password expiry mitigation

Posted: Tue Feb 02, 2016 10:34 pm
by Thrawn
I recently realised that the pain of password expiry has an upside: if you actually generate good passwords every time (ie using a real source of randomness, not your own imagination), and if you keep records of all those passwords (and everyone who cares about passwords should really have encrypted storage of some kind), then whenever you come across a site where you need to sign up to something, you have a ready-made list of strong passwords that you no longer use anywhere sensitive, but that your fingers are trained to type.

To be clear, I think that password expiry is, in general, a poorly-conceived response to a small part of the overall problem. But since it exists, this is one way to make it less awful. Has anyone else experienced this?

Re: Password expiry mitigation

Posted: Tue Feb 02, 2016 10:44 pm
by barbaz
Never done that - but then again, I don't know if I can always trust that sites would really erase my old, expired passwords, and what's to say that some MITM hasn't de-crypted some SSLv2 or SSLv3 traffic grabbed off me from back when that was the standard, and thus have my old password(s)? Image

Not every webmaster is like Giorgio in terms of privacy and the like.

Re: Password expiry mitigation

Posted: Wed Feb 03, 2016 3:08 am
by Thrawn
:D Well, in my case, the source of expired passwords is my workplace. So the attack scenario would be that someone breaks into my employer's servers, steals old password hashes, cracks them, and uses them to...impersonate me when commenting on blogs. Yeah, not especially scared by that risk.

I wouldn't reuse expired passwords in the other direction, of course.