Date: Wed, 16 May 2018 22:08:57 +0200 From: Solar Designer <solar@...nwall.com> To: passwords@...ts.openwall.com Subject: Re: Keeping old passwords On Wed, May 16, 2018 at 12:04:32PM -0400, Matt Weir wrote: > While I'm not privy to Google's risk analysis, they have mentioned in > the past the steps they try an take to prevent offline attacks against > password hashes. Did they? Can you post some links, please? > My guess is their main concern is with data leaked to online attacks. I think so too - more specifically, it's unauthorized logins using same passwords reused on other (non-Google) services. I recall this being mentioned as the primary problem with passwords in a Googler's talk some years ago. But I am unaware of them publicly describing their measures against offline attacks. I don't know what Google does, but it is possible they don't store past password (hashes) indefinitely unless it's a password they suspect was compromised (such as in Denny's example). Or do we know they don't permit reverting to an old password on a Google account even when there was no indication that anything looked suspicious to them? FWIW, I'm generally against password histories. Now, with my list moderator hat on, since I am posting a message to this thread anyway: I suspect at least one person is unhappy with this list's moderation - I rejected a message that said only the below: "Google has no regard for common sense when it comes to security. Why would this be any exception?" I understand that my rejecting this (which I did for the message lacking on-topic content) yet letting all of e's messages through looks weird at least to that one person. A reason for the discrepancy is that the list is actually not pre-moderated for subscribers, and the only reason that person's message was held for moderation was that it was sent from a non-subscribed envelope-from address. Also, if it contained on-topic content in addition to that off-topic line, I'd probably let it through (just like I'm OK with quoting that line in this longer message). Probably there are also people unhappy with some of this getting through, but I am not going to apply more subjective criteria nor set the list to pre-moderated even for subscribers just yet. Indeed, a one-line message isn't worth a multi-paragraph explanation above (I could as well optimize by letting the message through and not explaining), but I use this opportunity to explain how the list is run. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.