Notes
1. F. Cohen, “Change Your Password—Do Si Do,” Network Security Magazine as part of the “Managing Network Security” series, September 1997. This article is largely a reprise of the cited article. Rather than referring back to that article again and again, I will shamelessly copy without further citation. The reader is advised to review the previous article online at all.net.
2. For a fee we can come up with worse assumptions and eventually find some where periodic password changes may be justified. Of course, for another fee, we are available to challenge those bad assumptions.
3. If you are running that close to the edge, improve password quality and make time-to-guess larger.
4. In one case that was identified, a password from an important application was also used for an unimportant test application, the test application did not encrypt passwords, the unencrypted password file was put on a public server in close proximity to the important system, and was left there for 9 months before exploited.