Follow @Openwall on Twitter for new release announcements and other news
[<prev] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 16 May 2019 21:47:08 -0400
From: "Denny O'Breham" <obreham@...il.com>
To: passwords@...ts.openwall.com
Subject: Re: Keeping old passwords

For people interested in the subject, I got rid of the message 'You changed
your password [X time] ago' that appeared when using the old password a few
days ago.  So it looks like Google keeps old passwords for one year.

On Wed, May 16, 2018 at 8:00 AM Denny O'Breham <obreham@...il.com> wrote:

> I  came about a Google methodology that I find strange.  The fact that
> it is Google worries me a little bit more.  I was wondering what
> people here thought about that.
>
> So I was playing around and accessing my Google account with different
> browsers (including Tor) and once I returned to my 'usual' browser,
> Google forced me to change my password because of unusual activities
> on my account.  Informing me is one thing, but forcing me to change my
> password really made me mad.  But that is not the problem.
>
> So I wanted to go back to my original password but, of course, it
> didn't allow me to use my previous password.  I tried changing it 5 or
> 6 times (of course, with 5 or 6 different passwords) hoping it would
> forget the original password, but no luck; It probably keeps the
> passwords for some time duration (forever?).
>
> Now when I log in - due to old habits - I often use the original
> password which is no longer valid.  Google then inform the user that
> 'You changed your password 10 days ago'.  I tried with a random
> password and it tells me the usual ' Wrong password or username'.
>
> Two problems:
>
> 1- Is it a good idea to keep old passwords (even encrypted) in a
> database?  If the database is compromised, not only my actual password
> is at risk, but a bunch of my old passwords that I may or may not use
> somewhere else are at risk too.
>
> 2- Telling a user a different messages when he successfully enters an
> old password is insane.  All you need to do is some trial and error
> and you can guess not only the actual password, but any of the old
> passwords.  The fact that Google can force a user to change it, guess
> what? It is more than probable that the user is still using this old
> password on other websites.
>
> What do you think about this password management policy?
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.