On 7 August 2014 12:04, Brian Wolff bawolff@gmail.com wrote:
Oh I have no problem with regular forced password changes, say quarterly
or
so; I'm used to that in other contexts. But not a one-time password,
which
will actually increase risk because people will choose "keep me logged
in"
to avoid having to get a new password every time they want to log in.
I believe there's some research to suggest that quarterly password changes decrease overall security. I personally would not like having to do that.
These tend also to be solutions coming from moneyed countries, and some
of
these things involve technology that is not globally available.
I'm not sure what you mean by that.
A lot of the "solutions" normally bandied about involve things like two-factor identification, which has the "additional" password coming through a separate route (e.g., gmail two-factor ID sends a second password as a text to a mobile) and means having more expensive technology) or using technology like dongles that cannot be sent to users in certain countries.
I stick to my strong passwords and also subscribe to the xkcd password theory.[1]
Risker/Anne