I think denying users from using old passwords is inconvenience wifhout enough return. Furrhermore, it means old passwords are still stored somewhere... the whole password history for the whole set of accounts! What if that gets stolen?


@alvarezp @alcinnz While the topic of forcing password changes regularly is debatable, password history information is/should of course not just be stored in the clear. Only (hopefully well-salted) password hashes are stored.

@emanuel @alcinnz I would say it's better if they are not stored at all, not even in salted hash form.

A reason for password change could be to increase security by not having that salted hash stored (or password) anymore on that service.

On the UI, the service may try and make me not use my immediately previous password but any of the older passwords should be OK.

@alvarezp @emanuel @alcinnz Password history is actually kind of important these days. For that matter, I think it’d be good to check a proposed password against a badlist, populated by username/compromised passwords, and reject already revealed passwords associated with the user ID. Passwords should be changed when compromised, not as a time-based event.

@SuperFloppies @emanuel @alcinnz The argument of importance is given by the "periodic password change" people too, and they feel it as a need, but that does not prove it is a good security practice.

Same with the password history technique: it is perceived as a need and it is perceived as important but it does not do any more good than the complexity, risks and inconveniences it adds.

@alvarezp @emanuel @alcinnz Reusing old passwords represents a real risk. How many people do you know that check to see if the password they use is known to the Internet, or reuse work passwords for personal accounts?

A good auth system will monitor those things for you and prohibit you from using a compromised password. But there is a sound logical reason for this. There never has been for age-based password expiration.

@SuperFloppies @emanuel @alcinnz It's not the same to reuse old passwords as to reuse leaked ones. A company can check against its known-leaked password database and reject with "can't reuse a known-leaked password". If that database is stolen, no problem: it was already leaked.

But old vs leaked, there is no correlation: not all old passwords are leaked *unless the leaked database contained whole password histories*, which made it worse for all!

@alvarezp @emanuel @alcinnz And you make zero consideration for the possibility that an unknown leak has occurred. Old passwords could be compromised. New ones, probably not.

Security comes in layers. When there is a good reason to cast away a layer, fine. This? Not that.

But we’re done here. The merits speak for themselves.

Sign in to participate in the conversation
Mastodon @ schleuss.online

This instance has a focus on retro video games and game collector discussion. Please, no #NSFW and other 18+ discussion on this instance. See rules for more details