Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 16 May 2018 12:04:32 -0400
From: Matt Weir <cweir@...edu>
To: passwords@...ts.openwall.com
Subject: Re: Keeping old passwords

There's a lot of things going on here, and to show my cards up front I
think Google is taking the least bad options out of a lot of tough
decisions here.

a) Forced password change based on unusual habits. This probably
merits a whole other discussion but the question is how much Google
should focus on edge case usability issues vs standard user behavior.
I'm actually seeing this tradeoff more and more in major providers
from Uber, to AirBnB, to Google where policies are put in place with
the full understanding that it makes the service harder to use for
these "edge cases" in order to increase security of the system as a
whole for the larger user-base. While typically this is talked about
as algorithmic discrimination in regards to race, economic situation,
and gender, "power users" also tend to fall into these edge cases and
are impacted as well. Algorithmic discrimination is a serious problem
and I don't have any good solutions for how we as a society will
tackle it going forward.

1) Keeping old passwords depends on the use-case. It absolutely
increases the risk of password cracking attacks but other
considerations include the user frustration factor, and the cost/risk
of password resets when the user locks their account due to typing
their old password in too many times, or simply resets it yet again.
While I'm not privy to Google's risk analysis, they have mentioned in
the past the steps they try an take to prevent offline attacks against
password hashes. My guess is their main concern is with data leaked to
online attacks. Given that an attacker would have to guess your old
password to see the warning, without invoking any of the other rate
limiting Google does, my first reaction is "Well good thing you
changed your password in the last 10 days! ;p ((ducks)). Joking aside,
the risk Google probably feels that it puts your data, (and likewise
their public reputation), is balanced by the usability issues with
alerting users that they were not using their current password.

Branching out, where you will also see passwords kept around is not
due to usability issues, but also to prevent the behavior you showed
of trying to "change" their password multiple times back to the
original one. This also dramatically raises the risk of passwords
being cracked due to offline attacks. At the same time, the security
provided by this approach is hotly debated. For example, users will
often use simple tricks to get around it, (for example putting the
month at the end of their password).  Probably the best paper on this
is: https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf.

I tend to fall against storing previous password hashes in most
use-cases, but I'll admit there are some situations it makes sense
when you look at the system as a whole. That being said, my
experiences in the past have been that this practice generally causes
more harm then good. With Google though, due to the usability issues
and the efforts they put into preventing offline attacks and limiting
online attacks, I think there is a case to be made that they are
making the right decision.

Matt


On Wed, May 16, 2018 at 8:18 AM, e@...tmx.net <e@...tmx.net> wrote:
> On 05/16/2018 02:00 PM, Denny O'Breham wrote:
>>
>> I  came about a Google methodology that I find strange.  The fact that
>> it is Google worries me a little bit more.  I was wondering what
>> people here thought about that.
>
>
> Google use these passwords for PASSWORD RECOVERY!!!
> what do i think?
> it is infuriating!!!
> google is both EVIL AND STUPID.
>
>
>> 1- Is it a good idea to keep old passwords
>
>
> if you are not google (i.e. do not have evil plans against your users)
> there is no reason for you to keep old passwords.
> if a user changed his password it is assumed compromised,
> which renders it useless for any non-malevolent purposes.
>
>> 2- Telling a user a different messages when he successfully enters an
>> old password is insane.
>
>
> yes it is insane, it pours your password information on your enemies.
>
>
>> The fact that Google can force a user to change it, guess
>> what? It is more than probable that the user is still using this old
>> password on other websites.
>
>
> you are onto something :)
>
> actually, whenever you force a user to do something
> you damage his defensive security strategy
>
> and my guess is in agreement with yours
> google does it intentionally.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.