So, I’m working from home this AM, and had to access a non-frequent website. Naturally, my password expired, so I did the 2FA thing, and typed in a new password. The site responded, “This password has been used in the past 7 passwords. Please choose another new password.”
This kind of caught me off guard. Are websites saving tracking my old passwords now? How concerned should I be about this? I change them often enough, and don’t use repeat passwords across sites, but couldn’t someone determined enough, across enough sites, figure out a pattern to narrow down a brute-force attempt?
Tripler
I need to change my luggage code from “1 2 3 4 5.”
IF the website is properly storing the passwords (salted + hashed) you don’t have much to be concerned about. They should only be storing the previous hashes of your password and simply need to compare your newly entered password against them.
Hashing is not reversible, so your passwords are theoretically safe if a bad actor were to get access to the websites database. Rainbow tables can be used to compare known hashed password values against a database, but a good salt should prevent that.
Note: Encrypting and Hashing are two different things. In almost all circumstances, passwords should be stored as hashed values and NOT encrypted. Encryption is by definition reversible while hashing is not.
Saving your last 7 passwords is no different than saving your current password. It’s encrypted. So if you’re not worried about them saving your current password (which they have to do, because that’s how you log in) then don’t worry about it.
If you are worried about it, create 8 new random passwords every time they ask you to change. Then the 7 saved passwords are guaranteed to not be used anywhere else.
The best you can do is to not use the same passwords across sites so you are doing what you can to avoid being compromised.
Preventing near-reuse (e.g. changing a password by a single digit) is a very common security measure. The passwords are still stored as an unrecoverable hash (or, at least, should be) and they just cycle through each single character with the alphanumeric sequence and compared the hashed password, so if you change two or three characters, it should meet requirements.
Assuming the password is made up of N characters from the ASCII character set, a single character change would require N*128 permutations, and checking two independent characters would be N2-N)*128 2 permutations, so for an 8 character password 1024 and 917504 hash-and-compare (H&C) operations, but in general it will become computationally prohibitive with additional characters C with N!/(N-C)!*128C (I think I got that right), so 3 or 4 changed characters in an 8 character password the number of H&C operations would be over 450 million and 704 billion, respectively. So, as long as you are making more than two digit changes to a password and the website has reasonable security, changing more than a couple of characters should prevent any brute force hacking attempts.
Of course, if the website is keeping a plaintext registry of passwords (yes, some do even though it is trivially easy today to hash passwords) or there is some man-in-the-middle vulnerability that allows a cracker to grab the password before it is hashed, you are still vulnerable. Such vulnerabilities are surprisingly common, hence why major corporations get hacked with disturbing frequency and little accountability.
It would be computationally prohibitive to check every permutation of two independently; assuming a 128 character set, a single change would be 128*N, but two independent changes would be (
I wouldn’t bother. The TSA locks that are the only lock you are now allowed to use to secure your luggage aren’t worth the pot-metal zinc alloy they are made out of even notwithstanding the wide availability of the TSA master key. Even if a thief isn’t clever enough to buy a $5 TSA #7 lock off of Amazon, there is essentially no security in luggage handling areas. I had a Pelican case that went through Orlando airport security, and some aspiring defalcator had enough time and unimpeded access to both drive the hinge pin mostly out of the rear hinge and use a hacksaw to clumsily finish the job. (Why they didn’t just use the hacksaw or a cheap Harbor Freight bolt cutter to just cut the worthless locks off and save me the trouble of having to requisition a new Pelican just indicates how little thought it takes to be a luggage thief.)
Fortunately, all they got was a few hand tools, a cheap flashlight, and a metric shit-ton of lockwire, and my biggest loss was a pair of good lockwire pliers that I haven’t been able to replace, but pretty much anything you send through airport luggage is about as secure as a keg at a frat party. Given the fees airlines have been charging for “oversized” and overweight luggage, I’ve taken to just cargo shipping anything valuable because as careless as UPS about accurately tracking shipments they are still way more reliable and accountable as airlines and airport cargo contractors who just shrug their shoulders when you show them a piece of luggage that has been slashed, pried, or torched (no kidding!) open.
“Master Locks generally cry out for this sort of treatment.”. — The Lock-Picking Lawyer
Thanks guys!! Knowing it’s a reputable government website, I reckon that everything is locked up adequately.
Interesting, I wonder if I can still transport firearms with my own lock–but that’s another thread topic of its own. I, like you, had a couple of instances where my clearly marked Pelican cases were jimmied open, and the loss of a couple of my ‘prior occupation’s’ hand tools occurred.
Just to assuage my confusion about why you’d care if they kept a bunch of old passwords, even if they weren’t hashed – you’re not using the same password on more than one site, right? That’s a terrible practice that greatly increases your vulnerability if one site is compromised.
That’s correct, I don’t reuse passwords across sites. Passwords are like underwear: they help protect what’s close to you, need to be changed often, and aren’t good to spread around for everyone to see.
Tripler
I was my passwords skivvies after one wear.
The concern, I suspect, is being able to detect a pattern of how passwords are made. Some people like to take names and replace vowels with numbers, others use famous phrases slightly altered, and so forth. The reality is that as long as your password has a reasonable amount of complexity and the website has some marginal level of security (locking the account after some number of attempts, refusing multiple simultaneous authentications, ensuring that the password hash isn’t accessible from outside) then even relatively simple passwords with repeated patterns are adequately secure as long as you aren’t reusing the same password across different sites.
Outlandish complexity requirements and frequency of change actually do almost nothing to improve security and may actually make things worse. My current organization requires a 16 digit password with no English words that has to be changed on 90 day intervals. Guess what most people do ‘remember’ their frequently changing password?
That’s my concern. I don’t reuse passwords, but I admit that I use terms and phrases from my past to help me generate new secure ones. I’m not nearly as imaginative or randomized as certain secure algorithms are, so I assume I have a pattern.
Don’t get me started on the three random security questions.
Tripler
I’m still thinking about salty hash–lunchtime!
Yeah, restrictions on the form of passwords is a pet peeve of mine. I use a password manager that hashes the website name along with a secret key, and then uses the hash to construct a 10 character password that’s guaranteed to have at least one uppercase, one lowercase, one digit and one punctuation. (Per Kerckhoff’s principle, all the security is in the key; I don’t care if everything else about my system is known.) But occasionally I run into a website that doesn’t accept the punctuation character, or has some other restriction that doesn’t accept my default password, making it tempting to just use a one-off easily rememberable password for that site. Sites should not require a password format; it just decreases the size of the password space and encourages writing them down, using memorable passwords, or otherwise using insecure techniques.
Those questions are actually enormous vulnerabilities, especially the predetermined ones that request publicly available information like the schools you’ve attended or your mother’s maiden name. Passwords in general are not very good security (again, because people write them down) but if you can socially hack the password change process there isn’t even a need to worry about brute force or computational vulnerabilities, because you are basically being handed a key blank and wax impression, and just need to do a bit of filing to open the lock.
It could be worse. There’s a site we’re supposed to use at work, and we all had accounts set up for us. We all got a message in our work email, “Click here to finish setting up your account”, and then it said that all we had to do to finish setting up our account was to create a password.
And, as soon as we did so and then logged in with the brand-new password, the site came back with “Your password has expired. Please change it.”
I’ve met sites and games where passwords can not contain anything else than numbers and letters. How bizzare is that? I’m immediately wondering how are they storing the password if it has to be alphanumerical string.
I’ve had people tell me that if they want to transport something valuable in checked bags they also pack a firearm (declared) with it. Their assertion was that bags with declared firearms are given special security in baggage handling and random baggage handlers aren’t given unrestricted access,
