2

It's common practice in many system to keep a password history for different reasons (mainly, prevent the user from reusing them).

Answers like this one suggest that they are usually kept on the same format (which makes sense, in order to easily check it on password change).

Answers like this one suggest that they are often kept in the same database system.

So this makes me wonder: Doesn't this make a breach in the database all that much worse, since an attacker would have multiple passwords associated to that user/email which they can try to login in other systems (since a lot of people have 3-4 passwords that they reuse)?

Alternatively, if you have a mental algorithm for passwords, it could be deducted (not sure if anyone would bother, but for a high profile account, maybe) from the multiple samples.

Is there actually additional risk? Is this risk a concern? In which case, are there best practices to mitigate it?

xDaizu
  • 121
  • 6
  • When everything is in bold, nothing is :) – MiaoHatola Apr 05 '17 at 07:50
  • 1
    @MiaoHatola Sorry, I just tried to facilitate diagonal reading, but I guess I didn't do it properly. You can suggest an edit if you have a proposal for better format :) – xDaizu Apr 05 '17 at 07:54
  • Sorry. This question was a duplicate. I did search for it but didn't find it, which was really strange to me, it being such a basic question. Thanks to all the answerers! – xDaizu Apr 05 '17 at 16:26

2 Answers2

3

If system A stops people from reusing passwords (and therefore keeps a password history) it is good for the security of system A. It ensures that passwords are regularly changed.

If it takes a year to crack the average password, but passwords are changed every half year an attacker can not get much value out of a data breach. Sure, you don't have to be a genius to guess what comes after password1 and password2, but it is still better than just keeping password.

You are right to point out that storing multiple hashed password gives an attacker more value if they want to attack system B, where users might have reused passwords from system A. But if your main concern is to protect the assets of system A, and not protecting your users in general, that doesn't count for much.

So I would say it is a question of what you want to protect. If you only care about your own system, go for a password history. If you care about users that are reusing passwords being vulnerable on other systems, then don't. What one should or should not care about is inherently subjective, so it can not be answered here.

(There is also an argument that forcing password resets makes users pick worse passwords, and therefore should not be done at all. I'll left that aspect out of this answer since I don't think that was what the question was about.)

Anders
  • 65,052
  • 24
  • 180
  • 218
  • Very good answer! I believe the last recursive paragraph is most important, history HAS proven that users choose worse passwords if they are forced to change regularly. Training your users/coworkers to use a password manager or use better passwords is much more effective than just forcing stuff and not care about the consequences. If we would all teach our neighbours about security and in particular password strategies, the world would be a better place instantly :) – Robbert van den Bogerd Nov 22 '18 at 10:41
2

The answer to your question will ultimately come down to what you consider more important. For many organizations, ensuring that passwords are frequently changed is the priority. For others, ensuring that the password is unique is important. Many users will just enter their most common password for the first time that they create their account, thus rendering the 'use a unique password' system useless.

Now if you're securely hashing your passwords and storing them safely, you may want to move on to the next check - is preventing successful bruteforce attacks important? If you've been breached and your database stolen, maybe ensuring that your customers don't reuse the same password is important - in which case you may want to store old passwords for a certain period before allowing a reuse.

It's basically a risk vs. reward scenario - on one hand, you can ensure better safety, but it's more dangerous in case of a DB breach, while on the other hand if you don't store old passwords, you reduce loss on a breach.

Ask yourself - What is more important to you?

thel3l
  • 3,394
  • 11
  • 24