Dear Linkedin,

Sat Jun 9 01:29:18 UTC 2012

On 06/08/2012 05:59 PM, Ted Cooper wrote:
>
> They have some things correct in this and some are complete hogwash.
>
> Changing your password does not provide any additional security. It is
> meant to give protection against your credentials having being
> discovered, but if they have been compromised in that way, they'll have
> the one you change it to in next to no time too. If the hashes have been
> compromised, then yes, it's time to change the password.
>
> Having a different password for every website is very important though,
> as demonstrated many times when these lists of passwords and associated
> usernames turn up. Anyone who uses the same password on multiple sites
> will find that they have their accounts on multiple services accessed
> instead of just the original.

I agree that it's important, but everything about the current state
of affairs makes that impossible except for geeks that care about
password vaults, apparently. The great unwashed masses, however,
do not do this and there is no reason to expect that they will do
it any time soon.

My own experience with auto-generating hard passwords and dealing
with password recovery is that it seems to work really well, and that
it puts the onus on the *website* instead of the user. Every browser
has a password rememberer these days that happily fills in your username
and password. Every app that needs access can do the same thing. It
doesn't get you key rotation [*], but with passwords which are essentially
random and unique per site it's less necessary because you don't have
the cross-site contamination vulnerability.

Mike

[*] key rotation is largely orthogonal, but I suppose that it's feasible to
cook up a scheme that even got you that.