Date: Wed, 16 May 2018 14:18:16 +0200 From: "e@...tmx.net" <e@...tmx.net> To: passwords@...ts.openwall.com Subject: Re: Keeping old passwords On 05/16/2018 02:00 PM, Denny O'Breham wrote: > I came about a Google methodology that I find strange. The fact that > it is Google worries me a little bit more. I was wondering what > people here thought about that. Google use these passwords for PASSWORD RECOVERY!!! what do i think? it is infuriating!!! google is both EVIL AND STUPID. > 1- Is it a good idea to keep old passwords if you are not google (i.e. do not have evil plans against your users) there is no reason for you to keep old passwords. if a user changed his password it is assumed compromised, which renders it useless for any non-malevolent purposes. > 2- Telling a user a different messages when he successfully enters an > old password is insane. yes it is insane, it pours your password information on your enemies. > The fact that Google can force a user to change it, guess > what? It is more than probable that the user is still using this old > password on other websites. you are onto something :) actually, whenever you force a user to do something you damage his defensive security strategy and my guess is in agreement with yours google does it intentionally.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ