|
|
|
|
|
|
by kstrauser
1094 days ago
|
|
|
People who study this for a living say that you’re wrong on balance. For example, it would be great if every changed their password every time they logged into every service they used. Forget TOTP for 2FA — let’s make one-time passwords for everything! But in practice, making people change their passwords regularly ends up with them inventing convenient workarounds to avoid the mental overhead of having to learn a new password constantly. “Last month I used `Passw0rd!23`. This month I’ll use `Passw0rd!24`.” And then when their password DB is inevitably breached, an attacker has a pretty great guess as to what their password will be next month. In a perfect world where everyone perfectly followed perfect instructions to the letter, convenience isn’t critically important. In the one we actually live in it, is. And it’s not just me saying this. |
|
|
Is this your polite, roundabout way of saying "A number of users are literally so stupid that they're incapable of making rational decisions in their own password management practices"?
I would tend to disagree. I think most people have the capability to follow instructions and act responsibily, when they want to. We really shouldn't be letting the general public drive 3-ton SUV's capable of rapidly accelerating to 120+ mph (200+ kmh) if that weren't true, right?