|
Changing passwords as a cracking mitigation is "bad medicine", always has been, and is now acknowledged as such. Mathematically, imagine it is raining (stochastically speaking, evenly distributed on the interval, with replacement). Are you more or less likely to get hit by a rain drop if you dance around or stand still? Nope, odds are the same. (Although technically by moving around a lot you are sweeping space and thereby increasing the surface area for rain to impact + amount of rain, so actually you are increasing the odds.) Ok, try this instead. Flip a coin and guess whether it's heads or tails. Does it matter whether I guess heads every time, alternate heads/tails, or flip another coin? No, it does not. Now in the case of people who re-use passwords... in the longer term we'll find out whether the propensity to be one or the other produces an evolutionary signal or whether people are impossibly bad at "random" in any case. Finally, imagine someone cracking passwords: this is your adversary, and there is only one. Are they going to start with the hardest, most difficult to compute / type / memorize / come up with in the first place passwords? Let's encourage them to do that, and start with passwords which you'd never be able to enumerate starting from null before the heat death of the universe. Ok, so maybe that won't work, they're going to start with the easy ones first. So in this case, the optimal strategy would be to pick a really difficult password, and then at some point in time switch to one of the easy ones since it's already been checked. How's your migraine now? |