Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.110 X-Spam-Level: * X-Spam-Evidence: '*H*': 0.81; '*S*': 0.03; 'sys': 0.07; 'admins': 0.09; 'high-profile': 0.09; 'okay': 0.09; 'cc:addr:python-list': 0.11; 'jan': 0.12; 'damage.': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'hashes': 0.16; 'merely': 0.16; 'wrote:': 0.18; 'cc:addr:python.org': 0.22; 'cc:2**0': 0.24; "i've": 0.25; 'possibly': 0.26; 'gets': 0.27; 'header:In-Reply- To:1': 0.27; '[1]': 0.29; 'am,': 0.29; 'related': 0.29; 'message- id:@mail.gmail.com': 0.30; 'changed.': 0.31; "d'aprano": 0.31; 'hacker': 0.31; 'steven': 0.31; 'another': 0.32; 'problem': 0.35; 'problem.': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'passwords': 0.36; 'wrong': 0.37; 'itself': 0.39; 'days': 0.60; 'even': 0.60; 'maximum': 0.63; 'face': 0.64; 'more': 0.64; 'subject:Hello': 0.72; 'age': 0.80; '2015': 0.84; 'theft': 0.84; 'thoughtful': 0.84; 'recover': 0.91; 'subject:World': 0.91; 'to:none': 0.92; 'accounts,': 0.95; 'serious': 0.97 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=MU6cjRhQgIDxYINlW7hHoUjzQNf9ffABX5VN24njfrM=; b=xeF0xMF08v3vFAgqZFhfeuW0Oj6b33TuWCAoVXg0O93DqcCb3ME7+hG55Z5sS1JsrK wq72WDVOTBLduc7MqSePPytMvuxrcDjx5PlC84CnstB2W4k3cA9OTC16gNGggG+5Epzo v35Ceg2oDoADEBAzA3eX6rff4PCi4cr2ttbMcDoj6j4Asa/SvCF1egvjLFZfZGJUIWP2 cky0uT6aq1CZojy3qLUp7wiS/FPTPqt08NsCkfEM/RvbDKWBuhBygmMMvELrD1pbdNKS EShbdQth9Yb68C/L/PheIQ8Fm2+9UocTwkdnjCRFd29iAPoBpsoAu6FB/5zm7HM8nZMh AUqw== MIME-Version: 1.0 X-Received: by 10.42.95.12 with SMTP id d12mr21445177icn.12.1421539497552; Sat, 17 Jan 2015 16:04:57 -0800 (PST) In-Reply-To: <54baf443$0$13002$c3e8da3$5496439d@news.astraweb.com> References: <54957226$0$12975$c3e8da3$5496439d@news.astraweb.com> <54ae7b75$0$15900$e4fe514c@dreader35.news.xs4all.nl> <54ba76e0$0$15897$e4fe514c@dreader35.news.xs4all.nl> <54baf443$0$13002$c3e8da3$5496439d@news.astraweb.com> Date: Sun, 18 Jan 2015 11:04:57 +1100 Subject: Re: Hello World From: Chris Angelico Cc: "python-list@python.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 22 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1421539506 news.xs4all.nl 2856 [2001:888:2000:d::a6]:39719 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:83959 On Sun, Jan 18, 2015 at 10:46 AM, Steven D'Aprano wrote: > The merely poor reason given by the more thoughtful sys admins is, if the > password hashes get stolen, the hacker has a maximum of N days (and > possibly less) to crack the hashes and recover the passwords before they > get changed. That's okay as far as it goes, but it's the wrong solution for > the problem. Related to that is another reason I've heard: if your password is figured out by some means other than hash theft [1], there's a maximum of N days to make use of it. But let's face it, if someone gets hold of one of your accounts, it won't take long to do serious damage. Even if it's not a high-profile target like email or banking, a service with your password known by someone else is a problem *now*, not "after a month of research" or something. Password maximum age is the wrong solution to a few problems, and is itself a problem. Don't do it. ChrisA [1] eg http://xkcd.com/792/