You've almost got it, but you've missed the main subtlety: I'm asking a question, not making a statement. I'm not advocating what we should do. I'm stating that what we should do is actually unknown because we don't have all of the information. Specifically, we don't know human behavior when it comes to rotating passwords. If it turns out that people actually choose good passwords under a rotating password policy, then we should keep the rotating password policy.
My only prescription is to say, instead of telling everyone "this is how you should behave" in order to achieve the best security, we should design our security policies based on how people actually behave. My assertion here is that if we do this, we will end up with better actual security than if we came up with a policy that, on paper, is better, but is not well implemented by people in the wild.
My only prescription is to say, instead of telling everyone "this is how you should behave" in order to achieve the best security, we should design our security policies based on how people actually behave. My assertion here is that if we do this, we will end up with better actual security than if we came up with a policy that, on paper, is better, but is not well implemented by people in the wild.