On 06/08/2012 05:59 PM, Ted Cooper wrote:
They have some things correct in this and some are complete hogwash.
Changing your password does not provide any additional security. It is meant to give protection against your credentials having being discovered, but if they have been compromised in that way, they'll have the one you change it to in next to no time too. If the hashes have been compromised, then yes, it's time to change the password.
Having a different password for every website is very important though, as demonstrated many times when these lists of passwords and associated usernames turn up. Anyone who uses the same password on multiple sites will find that they have their accounts on multiple services accessed instead of just the original.
I agree that it's important, but everything about the current state of affairs makes that impossible except for geeks that care about password vaults, apparently. The great unwashed masses, however, do not do this and there is no reason to expect that they will do it any time soon. My own experience with auto-generating hard passwords and dealing with password recovery is that it seems to work really well, and that it puts the onus on the *website* instead of the user. Every browser has a password rememberer these days that happily fills in your username and password. Every app that needs access can do the same thing. It doesn't get you key rotation [*], but with passwords which are essentially random and unique per site it's less necessary because you don't have the cross-site contamination vulnerability. Mike [*] key rotation is largely orthogonal, but I suppose that it's feasible to cook up a scheme that even got you that.