
Please do not change your password - ronnier
http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?rss_id=Boston+Globe+--+Ideas+section
======
tptacek
"Changing passwords is a waste of time" is the signal opinion of someone who
has never been on either end of a network penetration test before.

How the universe actually works is: (1) of 1,000 servers, break into 1, (2)
recover cached or hashed passwords, (3) reuse those passwords on every system
on the network, (4) repeat 1-3 until you own 90% of the machines on the
network.

There's lots of room to criticize bureaucratic security policies, but they
sure picked a dumb one to focus on.

~~~
pmiller2
I agree with you from a network administrator's point of view. But, from a
simple, home user's point of view, that person is going to get a lot more
security benefit out of making sure his or her software (in particular, web
browsers) are updated; running as an unprivileged user; and never directly
clicking on links in emails that claim to be from a financial institution,
than changing his or her passwords every X months.

The way a typical home system is compromised is through some sort of malware
infection. Take me as an example. Say you were able to get my Hacker News
password. What would that get you? You could login to HN and post as me. Big
deal. That password gets you nothing in terms of being able to get to any of
my data that I'd consider valuable (which is all on my home systems, protected
by completely different passwords).

I think what we're supposed to take away from this article is that the only
security advice that's worth a damn is advice people actually follow. In other
words, you have to make it simple for them. Stuff like keeping software
updated is generally pretty easy because it can be done automatically; ditto
running as an unprivileged user and not clicking directly on links.

~~~
wglb
So in the vein of _the only security advice that's worth a damn is advice
people actually follow_ , most non-technical people I know 1) don't check on
the link before they click it and 2) run as privileged, 3) use the same
password everywhere. They are not following that advice.

Edit: And even if users check what link they are about to click, what of
shortened URLs?

