Re: Password Manager opinions and recommendations
On Mon, Mar 26, 2018 at 08:34:28PM +0100, Brian wrote:
> On Sun 25 Mar 2018 at 22:43:26 +0200, Ángel wrote:
> > On 2018-03-25 at 19:47 +0100, Brian wrote:
> > > 1 day after the breach your data had been compromised. Changing your
> > > password 10 days later on in your 1 month cycle doesn't seem to me to
> > > be reactive security. Better than nothing, I suppose, but closing the
> > > door after etc.
> > >
> > > In any case, your 20 character, high entropy password was your ultimate
> > > defence. (Not unless Yahoo! didn't hash).
> > Sure. If someone stole your password, be that by compromising and
> > you didn't notice on that free wifi, perhaps just someone looking at the
> > keys you pressed when entering your password, etc. the data you had up
> > to that point in that service should be considered compromised.
> > However, if the password was changed N days/months later, as part of a
> > periodic password change, that would mean that data processed after that
> > date would no longer be in risk, whereas otherwise the account would
> > continue being accessible by the bad actors for years (assuming that you
> > are not using a pattern that removes the benefit or rotating the
> > password!).
> I would be more accepting of this argument if it fitted with real world
> examples in other fields. Nobody offers the advice to change the locks
> on your front door or your car at regular intervals. But the computer
> security business has conjured up the "what if" argument to counteract
It's pretty difficult to steal someone's keys without them realising it
has happened. In contrast, password compromise happens without the
victim's knowledge all the time.