Date: Wed, 16 May 2018 08:00:32 -0400 From: "Denny O'Breham" <obreham@...il.com> To: passwords@...ts.openwall.com Subject: Keeping old passwords I came about a Google methodology that I find strange. The fact that it is Google worries me a little bit more. I was wondering what people here thought about that. So I was playing around and accessing my Google account with different browsers (including Tor) and once I returned to my 'usual' browser, Google forced me to change my password because of unusual activities on my account. Informing me is one thing, but forcing me to change my password really made me mad. But that is not the problem. So I wanted to go back to my original password but, of course, it didn't allow me to use my previous password. I tried changing it 5 or 6 times (of course, with 5 or 6 different passwords) hoping it would forget the original password, but no luck; It probably keeps the passwords for some time duration (forever?). Now when I log in - due to old habits - I often use the original password which is no longer valid. Google then inform the user that 'You changed your password 10 days ago'. I tried with a random password and it tells me the usual ' Wrong password or username'. Two problems: 1- Is it a good idea to keep old passwords (even encrypted) in a database? If the database is compromised, not only my actual password is at risk, but a bunch of my old passwords that I may or may not use somewhere else are at risk too. 2- Telling a user a different messages when he successfully enters an old password is insane. All you need to do is some trial and error and you can guess not only the actual password, but any of the old passwords. The fact that Google can force a user to change it, guess what? It is more than probable that the user is still using this old password on other websites. What do you think about this password management policy?
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ