0

In addition to Is it safe to store a password hash history for preventing user to keep same password repeatedly in some cases?.

Facebook, and other companies, are storing historical passwords of users. When you want to change a password to a previously used password, it gets rejected. This seems desirable to me because a password can be leaked (in combination with a username or email address) and that combination might have became insecure.

Nevertheless, I wonder if it is desirable that companies like Facebook store all our historical passwords (hopefully strongly hashed, salted and stretched and not encrypted like Adobe once did).

Shortly:

  1. Should all web applications implement such a security feature?
  2. Is it desirable that companies store our historical passwords?
  3. How long are you allowed to store/archive such information or how many recently used passwords are allowed or recommended to store?
Community
  • 1
Bob Ortiz
  • 6,339
  • 9
  • 45
  • 91
  • 2
    Possible duplicate of [Is it safe to store a password hash history for preventing user to keep same password repeatedly in some cases?](http://security.stackexchange.com/questions/85074/is-it-safe-to-store-a-password-hash-history-for-preventing-user-to-keep-same-pas) and [Website says my new password can't be used because it is the same as an old one](https://security.stackexchange.com/questions/127399/website-says-my-new-password-cant-be-used-because-it-is-the-same-as-an-old-one) – tim Jun 24 '16 at 09:42
  • If there is a security breach in Facebook's DB servers which allow people to get passwords, I honestly don't think getting the previous ones is that much more of a catastrophe. – Azami Jun 24 '16 at 09:45
  • @MadWard depends if the user only uses a few passwords across multiple platforms. IMO, not only do you have a username to try across multiple sites, but you also have multiple passwords to attempt a crack. The biggest issue doesn't seem to be access to one account (depending what it is), but access across the board. – XaolingBao Jun 24 '16 at 09:52

1 Answers1

2

To answer your questions:

Should all web applications implement such a security feature?

This is just another good security feature to help the user so if the application can afford (resources not financially) to have this implanted in their system there is no reason not to.

Is it desirable that companies store our historical passwords?

Since most users in our days do not understand the importance of not having the same password added with a 123 when changing the password, this is important to force them to change the password to something different so increase security.

How long are you allowed to store/archive such information or how many recently used passwords are allowed or recommended to store?

Forever. Why do I say this?

If an attacker wants to hack a specific user he will be looking for OSint about the user all over the place and he might even try a password that was used years back by the same user. And since users tend to use the same passwords over and over again this is not good.

Bubble Hacker
  • 3,783
  • 1
  • 11
  • 20