Web lists-archives.com

Re: Password Manager opinions and recommendations




On Mon, Mar 26, 2018 at 08:34:28PM +0100, Brian wrote:
> On Sun 25 Mar 2018 at 22:43:26 +0200, Ángel wrote:
> 
> > On 2018-03-25 at 19:47 +0100, Brian wrote:
> > > 1 day after the breach your data had been compromised. Changing your
> > > password 10 days later on in your 1 month cycle doesn't seem to me to
> > > be reactive security. Better than nothing, I suppose, but closing the
> > > door after etc.
> > > 
> > > In any case, your 20 character, high entropy password was your ultimate
> > > defence. (Not unless Yahoo! didn't hash).
> > 
> > 
> > Sure. If someone stole your password, be that by compromising and
> > injecting a password-stealing javascript server side, due to a sslstrip
> > you didn't notice on that free wifi, perhaps just someone looking at the
> > keys you pressed when entering your password, etc. the data you had up
> > to that point in that service should be considered compromised.
> > 
> > However, if the password was changed N days/months later, as part of a
> > periodic password change, that would mean that data processed after that
> > date would no longer be in risk, whereas otherwise the account would
> > continue being accessible by the bad actors for years (assuming that you
> > are not using a pattern that removes the benefit or rotating the
> > password!).
> 
> I would be more accepting of this argument if it fitted with real world
> examples in other fields. Nobody offers the advice to change the locks
> on your front door or your car at regular intervals. But the computer
> security business has conjured up the "what if" argument to counteract
> commensense.
> 
It's pretty difficult to steal someone's keys without them realising it 
has happened. In contrast, password compromise happens without the 
victim's knowledge all the time.

Mark