Quote:
Originally Posted by Willravel
Same. I read message as "we assume you suck at picking or maintaining passwords, so we're forcing you to change yours." My password is fine. All of my passwords online are just fine. A 15+ digit, random, alpha-numeric password is basically as secure as you can get within reason.
|
Until unsalted hashes of everyone's passwords on a given site are acquired and rapidly decrypted with a rainbow table. If password storage on the server side is poor, like stored in plain text (I've seen it), or stored unsalted, there is another attack vector independent of the brute-force strength of your password. From Cyn's post, I assume he had a concern about server-side password security, and forcing users to change passwords is a great way to assuage that concern. It's part of the reason (good) sysdbas and network administrators enforce password complexity as well as forced obsolescence.