7

The security policy at my employer has a password rotation policy for my workstation. Upon a recent change of password I immediately received an email telling me of an issue:

According to our records, you recently changed your workstation password, which is synchronized automatically with XYZ. However, this email is sent to inform you that your password could not be set in the system. The most common reason for failure is that the first three characters of a password cannot be identical...

Please change your password once again via the Password Center or Windows.

How annoying that I need to change my password once again. But more curiously, I was under the impression that policies like this one would be impossible if password hashing was in practice. Should the administrators of system XYZ know what the first three characters of my previous password are or is it indicative of bad practice?

Edit

first three characters of a password cannot be identical

I interpreted this as "...first three characters of a password cannot be identical to the previous". The email itself was riddled with spelling and grammatical errors (it even contained a stack trace) so I mentally went into interpretation mode and now I think I interpreted this line incorrectly. On reading again it's probably just making a suggestion. I won't go jumping down the throats of the IT Helpdesk just yet! Nevertheless I think this can be answered hypothetically as though it were referring to the previous password so I will leave the question as it stands. (Incidentally, I'd be interested in knowing why one might have a policy that forbids the first three characters from being identical.)

Password is changed via CTRL+ALT+DEL in Windows. Some synchronization with other internal systems (time-writing systems for example) must occur when this happens.

Community
  • 1
chrisjleu
  • 171
  • 4
  • 4
    Your title says "First X characters of password ... not identical to **previous** one (password?)", but your quote says "First 3 characters of **your password** cannot be identical" like `aaaRestOfPassword`. Please clarify. – hamena314 Jul 06 '16 at 07:26
  • 1
    "would be impossible if password hashing was in practice" As i've commented under S.L. Barth, this is not necessarily true. They could store 2 hashes : one of the first X letters, then one of the whole password. – Quentin Jul 06 '16 at 08:26

1 Answers1

6

If it is meant to say, "the first X letters of the password are the same as the first X of the previous password", this is indicative of bad practice. For exactly the reasons you have mentioned.

The first X letters may be stored somewhere in plaintext, which is bad - if an attacker gets their hands on them, it makes a brute-force attack simpler.

Even if, as @Quentin points out in the comments, they only store a hash of the first X characters, this still makes it easier for an attacker. If attackers get access to this hash, they can brute-force the hash of the first X characters easier than the hash of the full password. After that, they've got the first X characters of the password - making a brute-force attack on the entire password a lot simpler.

However, as is pointed out by @hamena314 in the comments, maybe you are interpreting the message wrong:

The most common reason for failure is that the first three characters of a password cannot be identical...

It may simply mean that the first three characters cannot be identical to each other.

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47
  • 2
    "The first X letters are stored somewhere in plaintext" Not necessarily, they could store a hash of the first X letters. – Quentin Jul 06 '16 at 08:23
  • @Quentin Good point, thanks! I've edited that case into the answer. – S.L. Barth Jul 06 '16 at 08:27
  • 1
    It's pointless hashing three characters as this would be trivially brute-forced. – Jim Jul 06 '16 at 09:13
  • @S.L.Barth I have a question on this. So some sites don't allow passwords starting with common names like bob, password, test etc. So does this validation take place on client side or is it a sign of password getting stored in plain-text? – one Jul 06 '16 at 09:36
  • 2
    @RuchShuk The password verification could take place on the client or the server. However, if the server sees the plaintext password during signup, that does not mean it will actually _store_ it in plaintext. – S.L. Barth Jul 06 '16 at 09:42
  • 1
    @S.L.Barth, please correct me if I am wrong. So the server validates the password and if it is found ok, it is hashed and stored in the database. – one Jul 06 '16 at 09:51