Jesse Keating <jkeating@xxxxxxxxxx> writes: > There is a theory that changing passwords on a regular bases lessens the > risk of somebody's password being stolen and used nefariously. > Depending on the account compromised the damage increases from nuisance > to legally damaging. There is a theory (which I find more credible) that changing passwords has at best no effect, and at worst increases the risk of somebody's password being stolen and used nefariously. People who are forced to change passwords write them down or pick really crappy passwords based on sequences, or both. If you give me the old password for a random account, I am fairly sure I can give ten options for the new password, and 4 out of 5 times one of the options will match. Password changes were a defense against brute forcing of the hashed password. These days you don't allow anyone to access the hashed password, so that isn't a worry. If someone DID get access to the hashed password, you have lost anyway, because computers are just too fast. The password change policy would have to be something like twice a day. /Benny -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
