Date: Wed, 16 May 2018 12:04:32 -0400 From: Matt Weir <cweir@...edu> To: passwords@...ts.openwall.com Subject: Re: Keeping old passwords There's a lot of things going on here, and to show my cards up front I think Google is taking the least bad options out of a lot of tough decisions here. a) Forced password change based on unusual habits. This probably merits a whole other discussion but the question is how much Google should focus on edge case usability issues vs standard user behavior. I'm actually seeing this tradeoff more and more in major providers from Uber, to AirBnB, to Google where policies are put in place with the full understanding that it makes the service harder to use for these "edge cases" in order to increase security of the system as a whole for the larger user-base. While typically this is talked about as algorithmic discrimination in regards to race, economic situation, and gender, "power users" also tend to fall into these edge cases and are impacted as well. Algorithmic discrimination is a serious problem and I don't have any good solutions for how we as a society will tackle it going forward. 1) Keeping old passwords depends on the use-case. It absolutely increases the risk of password cracking attacks but other considerations include the user frustration factor, and the cost/risk of password resets when the user locks their account due to typing their old password in too many times, or simply resets it yet again. While I'm not privy to Google's risk analysis, they have mentioned in the past the steps they try an take to prevent offline attacks against password hashes. My guess is their main concern is with data leaked to online attacks. Given that an attacker would have to guess your old password to see the warning, without invoking any of the other rate limiting Google does, my first reaction is "Well good thing you changed your password in the last 10 days! ;p ((ducks)). Joking aside, the risk Google probably feels that it puts your data, (and likewise their public reputation), is balanced by the usability issues with alerting users that they were not using their current password. Branching out, where you will also see passwords kept around is not due to usability issues, but also to prevent the behavior you showed of trying to "change" their password multiple times back to the original one. This also dramatically raises the risk of passwords being cracked due to offline attacks. At the same time, the security provided by this approach is hotly debated. For example, users will often use simple tricks to get around it, (for example putting the month at the end of their password). Probably the best paper on this is: https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf. I tend to fall against storing previous password hashes in most use-cases, but I'll admit there are some situations it makes sense when you look at the system as a whole. That being said, my experiences in the past have been that this practice generally causes more harm then good. With Google though, due to the usability issues and the efforts they put into preventing offline attacks and limiting online attacks, I think there is a case to be made that they are making the right decision. Matt On Wed, May 16, 2018 at 8:18 AM, e@...tmx.net <e@...tmx.net> wrote: > On 05/16/2018 02:00 PM, Denny O'Breham wrote: >> >> I came about a Google methodology that I find strange. The fact that >> it is Google worries me a little bit more. I was wondering what >> people here thought about that. > > > Google use these passwords for PASSWORD RECOVERY!!! > what do i think? > it is infuriating!!! > google is both EVIL AND STUPID. > > >> 1- Is it a good idea to keep old passwords > > > if you are not google (i.e. do not have evil plans against your users) > there is no reason for you to keep old passwords. > if a user changed his password it is assumed compromised, > which renders it useless for any non-malevolent purposes. > >> 2- Telling a user a different messages when he successfully enters an >> old password is insane. > > > yes it is insane, it pours your password information on your enemies. > > >> The fact that Google can force a user to change it, guess >> what? It is more than probable that the user is still using this old >> password on other websites. > > > you are onto something :) > > actually, whenever you force a user to do something > you damage his defensive security strategy > > and my guess is in agreement with yours > google does it intentionally.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ