
Do Strong Web Passwords Accomplish Anything? - soundsop
http://www.schneier.com/blog/archives/2009/07/strong_web_pass.html
======
pert
"If I have to change it every XX days, I tend to pick very easy to remember
passwords, and just change a digit at the end of it every time. As a result of
this password "enhancement" system, I think I personally have much weaker
passwords."

Assuming that "XX days" === 'less than 100 days', I totally agree.

We use a six month password cycle at work, and I think that's reasonable as it
only takes me a few days to remember a password that I use tens of times a
day. If it's a password that I use less frequently or a change is mandated
more frequently, then I would do the same as Bruce and use something more
obvious or only make small changes to the password each time.

~~~
lucumo
_> [...] I would do the same as Bruce and use something more obvious or only
make small changes to the password each time._

That's not Bruce. That was a comment from a reader.

~~~
pert
Doh!

------
tetha
Indeed, this is a very good recall on the old security saying: "If I need your
password, I call you and ask you for it."

------
sarvesh
Yes it makes it easier for users to forget the password. Passwords should be
strong enough that brute force attacks aren't easy but some websites try to
enforce ridiculously hard password which eventually result in the user
forgetting his password. Kinda defeats the purpose.

