1

Some services like Google or Facebook forbid me to use a password that has already been use for the same account in the past.

My question is, if this old password was never compromised (i.e it was too long to type, and I changed for a shorter but secure one), why shouldn't I use it ?

Hey
  • 1,915
  • 1
  • 17
  • 24

3 Answers3

3

Based on your comments to the other answers, I understand your question better now, and your point is a good one. Consider the following:

You have a Gmail account with a password that is sufficiently complex, and you've had the same password for years. Perhaps you use an email client at home to check and store your email, and you use your phone client as well. You are traveling and lose your phone. You go to the mobile store and get a new one, and they transfer your number for you to the new phone. While trying to setup Gmail on your new phone, you can't seem to remember your Gmail password, so you reset it using SMS verification, and everything is fine, except that you know your email client at home is getting annoyed because it keeps failing to connect. It's not a big deal; you realize you'll have to enter in the new password when you get home. After stopping for a coffee, you have a moment of brilliance and you suddenly remember your old Gmail password. You try to change it back to the old one but now you can't! Dejected, you go back to your hotel, sit down on the couch, and find your old phone between the seat cushions. You think back to that moment when you were trying to remember your Gmail password... "Had I only been able to remember it, then I could have kept that awesome password. But I had a moment of forgetfulness and now that perfectly good password is wasted..." Of course, had you not found your old phone, you might have wanted to change the password anyway, along with all other passwords that were automatically stored on the phone.

So why doesn't Gmail let you reuse the password? Because they have no way of knowing you found your old phone.

In other words, they don't know why you changed it in the first place, so they simply assume you changed your password because you accidentally tweeted your old one to the entire world, just in case.

TTT
  • 9,132
  • 4
  • 19
  • 32
2

Part of it is a jerk reflex -- password reuse is forbidden because otherwise users can easily work around policies that force regular password changes. Not that forcing password changes really improves security, but that's traditional.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • 1
    I wouldn't go as far as saying it doesn't really improve security. Sure, it doesn't guarantee that the new passwords are any more secure than the last, but it's good practice in case your passwords are stolen but not utilized immediately. – WorseDoughnut Mar 31 '16 at 17:02
  • 1
    But Google ans Microsoft don't enforce regular password change. What's the reason then ? – Hey Mar 31 '16 at 17:19
2

You know for sure that your password was never compromised? You sound awfully confident about that...

The risk here is that a hashed password db was stolen / leaked at some point in the past and hackers are slowly cracking the passwords over a period of years. Moreover, users tend to use the same password for multiple sites and change the password for all sites around the same time. So just because that password wasn't compromised for your Facebook account at the time doesn't mean that it's not linked to you in some hacker database somewhere.

As a concrete example: haveibeenpwned.com tracks all publicly leaked passwords associated with your email address or username. Any hacker trying to hack your Facebook account today will first try all of your previous known passwords from any site, so by refusing to let users re-use an old password, Facebook is helping to protect you from yourself.

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
  • 1
    But this password doesn't seem more secure than when I used it, and I could have keeped it for 5 years without Google aaying anything. I know for sure that I never did anything that could put it at risk. And I never reuse passwords on different sites. – Hey Mar 31 '16 at 17:18
  • @YdobEmos just because you believe you never personally put the password at risk, doesn't mean it hasn't been leaked in by means outside of your control. – WorseDoughnut Mar 31 '16 at 17:20
  • I don't understand, if you've ever used that password for any account anywhere on the internet, then it's at risk for reasons that are out of your control. I'm not sure that anything you do, or don't do, will make the password "100% safe" to use again. – Mike Ounsworth Mar 31 '16 at 17:20
  • But it is as secure as if I never stopped used it ! And in this case nobody would complain, even if it has the same chance to be compromised. – Hey Mar 31 '16 at 17:45
  • @YdobEmos Yeah, fair enough. As Thomas Pornin said below, and in his answer to [this question](http://security.stackexchange.com/q/20591/61443): blocking password reuse only really makes sense if you're forcing timed password expiry. And if you are doing password expiry then you really should be blocking password reuse ... it's really an "if and only if" situation. Regardless, it certainly doesn't hurt security. – Mike Ounsworth Mar 31 '16 at 17:53