I read this weekend a very interesting article from someone I actually had the pleasure to meet in person. In the article, published in the latest issue of the Communications of the ACM, William Cheswick discusses over the “state of the art” of password-related security issues. It is not often that you read such an interesting article that is, at the same time, so much fun to read.

Rethinking Passwords


The simplest way to recover from the compromise of a password is to change it. Ah, the good old days! This is just wrong now. Once an account is compromised, the rot sets in and spreads through further attacks and transitive trust. Other accounts are attacked with the same password, often successfully. Bank accounts are drained (at least temporarily—personal exposure has declined on this,3 plasma screens ordered, billing addresses changed, and identities stolen.)


You can also check out this presentation Ches did in RSA back in 2011 about the same topic: