102

enter image description here

Suppose that someone stole my password, he/she can easily change it by confirming the old password.

So, I am curious that why do we need that step and what is the purpose of using old password confirmation?

Sandip Patidar
  • 13
  • 6
ronaldtgi
  • 1,215
  • 3
  • 10
  • 14
  • 3
    Note that for the reasons given in the answers to be effective, this policy (or similar) has to apply to all account controlling features. E.g. changing the account's email address, where a password reset feature is present. – Jon Bentley Jun 15 '17 at 17:13
  • 32
    @ronaldtgi I assume you are implying "why do we need that step _*if we are already logged in*_, is that correct? Otherwise the question seems silly. – Aaron Jun 15 '17 at 20:14
  • 7
    Also, it is similar to requiring you to retype your password again when you issue a "sudo" command on a Linux computer. Otherwise I step away for 30 seconds without locking my PC, someone quickly types in "sudo maliciouscommand", and I'm hosed even since that person just used root access even though I was not logged in as root. Or like the Windows UAC prompt that you get when installing something. These are all just extra gateways that offer layers of protection. – Aaron Jun 15 '17 at 20:18
  • 13
    "Suppose that someone stole my password, he/she can easily change it by confirming the old password." Indeed, but if the system did not ask fo rthe old password it would become "Suppose that someone did not know my password at all, he/she can easily change it to whatever they want". Does that sound secure to you? – oerkelens Jun 16 '17 at 11:08
  • 5
    @oerkelens That second statement is not correct, and overestimates the problem. It should be "Suppose that someone did not know my password at all, he/she can easily change it to whatever they want *if they have access to a system where I am already logged in*". That may be within acceptable limits of security depending on the context. E.g. I probably don't require my burglar alarm system to ask me for my old code when I want to change it, because there isn't a realistic scenario in which it would matter. – Jon Bentley Jun 16 '17 at 15:06
  • @Aaron, yes indeed. If I ask the question like I am being logged out and want to edit the passwords, that would be more silly. – ronaldtgi Jun 17 '17 at 03:35
  • I wonder how many people implements it with reasoning – Filip Bartuzi Jun 17 '17 at 05:12
  • What if someone finds a way to bypass the login system altogether? Forcing a password to be used in the password change prevents a hacker from locking you out. Granted, they'd still have access, but at least *you* can still get in. Not a real answer. Just a minor thought. I might be totally wrong. – user64742 Jun 18 '17 at 05:06
  • getting into your session != stealing your password – njzk2 Jun 21 '17 at 02:33
  • adding a security question is best – Bugfixer Dec 05 '18 at 05:35

6 Answers6

360

If you are logged in and I sit down at your computer, I can lock you out of your account and transfer ownership to myself.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 2
    Often I see that when a password is changed, an email is sent to the address you registered with (or if it was the email address change, 2 emails are sent to new and old addresses) with a special "revert this change" url to avoid just this kind of takeover. – user1306322 Jun 15 '17 at 10:48
  • 40
    @user1306322 I admit that I have never seen a 'revert this change' option, just a notice that something has been attempted. Do you know which services offer the 'revert' options? – schroeder Jun 15 '17 at 11:00
  • 40
    @schroeder Most "changed password" emails I've seen don't usually include a "revert this change" button outright, but they usually _do_ include instructions on what to do if you weren't the one who initiated the change. Usually those instructions tell you to reset your password via the normal email-based account recovery process, which is probably better than merely reverting the change anyway since whoever changed your password in the first place probably already has your old one. – Ajedi32 Jun 15 '17 at 13:13
  • @schroeder it either leads to the page where you can enter your credentials (that you still have) or backup numbers like in Google accounts, or it's a long unique key in the url, and no, I can't name them off the top of my head. But yea, most of the time the link leads to the page with instructions on how to revert this, but doesn't actually revert the change in one click. – user1306322 Jun 15 '17 at 13:49
  • 2
    @user1306322 that makes more sense to me and matches my experience – schroeder Jun 15 '17 at 14:21
  • 1
    Also: CSRF or XSS vulnerabilities won't be able to trivially take over an account. – Prinzhorn Jun 20 '17 at 16:10
  • @Ajedi32 A revert link would be a good idea for the situations where they change the password and the e-mail. – Loren Pechtel Jun 21 '17 at 03:21
  • I think I mostly get emails saying: “someone changed something. Click here if it wasn’t you”, and their server is clever enough to undo all changes That caused this message to be sent. – gnasher729 Nov 15 '22 at 09:03
149

Two main reasons:

  1. If your session is compromised (e.g. you leave the computer and someone else jumps on, or there is a remote session compromise vulnerability), it prevents another person from changing the password, locking you out of your own account.
  2. If you are enforcing a password change, you can then check that the old and new passwords don't match, without needing to store the old password in a recoverable form - you can check it, then check that the new one isn't the same, even with fully salted password hashes. While you can check exact matches with just the hash, it doesn't allow for checks such as "ensure that the new password isn't the old password with the last digit incremented by one", which are sometimes required by more sensitive applications
Matthew
  • 27,263
  • 7
  • 89
  • 101
  • I also have a thought If my session is compromised. But unless user's email and secondary questions are also controlled by the password confirmation, he/she can still change my email. I've seen many php form that the email tab is different from the password tab. Anyway, thanks Matthew. – ronaldtgi Jun 15 '17 at 10:22
  • 9
    Those other sensitive fields (like email) *should* indeed be protected with the same security mechanism. Not every site takes that level of care, but it is something that should be done. – Soron Jun 15 '17 at 10:26
  • 4
    Saved passwords often pre-fill on the login page but are less likely to pre-fill on the password reset page, requiring a user to explicitly know the old password, instead of it just being saved. – mlhDev Jun 15 '17 at 12:28
  • I have found more than one site that has figured out a way to disable the pre-fill function that some browsers offer. Figured out or got lucky. :-) – WGroleau Jun 15 '17 at 13:07
  • 8
    @Matthew You could even do that by taking the new password, *decrementing* a final digit, and hashing to see if it's the old password, but having old & new could be convenient for some checks. – David Conrad Jun 15 '17 at 20:46
  • @WGroleau I have found an extension that thwarts at least one of the ways that some sites have figured out for disabling the pre-fill function. (In case you're thinking I'm exposing my credentials to the extension: All it does is to check the HTML for an attribute that tells the browser "do not autofill this field" on the username and password fields, and remove that attribute if found.) – Dan Henderson Jun 16 '17 at 18:59
  • 1
    Unless you've studied the source code, you don't know whether _any_ extension is spying on you. – WGroleau Jun 16 '17 at 19:32
  • @WGroleau> generating a fully random id/name for the field usually disables pre-fill (browser doesn't match it to any field it knows of), fwiw. – spectras Jun 17 '17 at 10:19
  • 1
    @DavidConrad (1) Checking for hamming distances of 1 or 2 is not significantly slowed down by hashing; and (2) if you don't want people to pick similar passwords, then apparently they're not voluntarily changing it: forcing password changes is not recommended (see NIST recommendation, a Microsoft research from 2008 or something, and common knowledge of what kind of passwords people choose in such events). – Luc Jun 20 '17 at 12:14
  • 1
    @Luc I was merely pointing out that it was possible, not suggesting that testing for such similar passwords should be done, nor was I advocating forcing password changes. – David Conrad Jun 20 '17 at 13:22
  • 1
    @MatthieuM. By comparing hashes you cannot identify that a user's old password was Password1 and his new is Password2. As Matthew mentioned, using the old password you can check the new password against common permutations that would render the new password less secure if the old gets compromised – BlueCacti Jun 21 '17 at 11:16
  • 1
    @GroundZero: Well, Matthew mentioned the fuzzy matches *after* my comment, so I guess it means I can remove it now that it's been taken into account. And indeed, I agree that checking that the two passwords do differ substantially is a good idea. – Matthieu M. Jun 21 '17 at 11:19
  • @WGroleau Worth pointing out that one needs to read the source on your local device, not the public source on the net, as there is no guarantee that its whats actually installed – Artog Jul 15 '19 at 12:36
  • True. One would have to compile the source one has read to be sure what is installed. And even then you’re not 100% safe: https://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a – WGroleau Jul 18 '19 at 14:06
  • @DavidConrad but when you wanna do something more complicated, let's say calculate the edit distance (or any other string similarity metric) between the old and the new password and see if it's different enough, you would need the old password in plaintext... – Anis LOUNIS aka AnixPasBesoin Feb 27 '22 at 18:46
99

To augment the other answers, I'll add to confirm that the keyboard is working as the user intends.

Caps lock can invert the case, and Num lock can change whether typing e.g. a "4" on the keypad will instead move the cursor left. Some interfaces show a warning, but many don't.

Most OSs have software keyboard layouts. Being able to type your old password correctly is good evidence that you're intent on using the current layout.

I've also had individual keys stop working, which causes frustration as you troubleshoot why you can't login from any other keyboard.

Spencer Joplin
  • 1,106
  • 7
  • 5
  • 7
    "I've also had individual keys stop working, which causes frustration as you troubleshoot why you can't login from any other keyboard." You mean you *set* the password from a broken keyboard and then couldn't log in on any other keyboard? :D Wow, that's actually a really interesting scenario. – Wildcard Jun 20 '17 at 04:26
  • 2
    @Wildcard I once had a situation in which the lay-out of my keyboard changed between password setup and login afterwards. Imagine troubleshooting these issues in situations where you can't read the password in plaintext. It was a Windows login and my user's keyboard lay-out was different than the OS' – BlueCacti Jun 21 '17 at 11:18
  • Steam had (has?) an issue with Big Picture mode and some controllers, where some of the keys shown on the interface don't match what is actually entered when pressing that controller button. So if you set a passcode with a keyboard, you might not be able to enter it on a controller, and vice versa. – GalacticCowboy Jun 22 '17 at 11:43
10

I think that confirming the old password doesn't help you secure your account in the case you lost your password. But It does make sense when no one has stolen your password, because it makes sure that you are the only one who can change your password (because only you know your password). For example, no one knows your Facebook password, but you've already logged in Facebook with your account on your cell phone, and then your friend borrows your phone. If he/she wants to change your password, it's impossible without knowing your current password.

Sarah G.
  • 121
  • 6
  • 1
    Well, they could just reset the password and open your email, but the idea is right. – Tim Jun 15 '17 at 16:09
  • 6
    This is a dupe of #1 in [this answer](https://security.stackexchange.com/a/162024/125213) above. – Ploni Jun 18 '17 at 21:20
  • 1
    Unless it's your Skype account and you've lost your password. Then you're just screwed. (You can keep using the Skype account on the devices you're logged in on, but once they go obsolete and unsupported you're forever locked out.) (Skype password reset process is almost impossible to get approved.) – Wildcard Jun 20 '17 at 04:25
2

It is to help you keep the account with yourself.

Some Scenarios

  1. Your cookie is stolen by someone via a middleware or by some other methods, then if the site didn't prompted you for old password, they can change the Password and Recovery email and then the account no more belongs to you.

  2. If someone has access to your system which you logged in, they can change the password and then recovery email and then the account no more belongs to you.

Community
  • 1
i--
  • 225
  • 2
  • 10
  • This is a direct dupe of Matthew's answer 5 days before yours. If you have a unique perspective to provide, then please edit the post to include it. Don't just repeat other answers. – schroeder Jun 19 '21 at 15:59
2

Cross-Site Request Forgery (CSRF) protection. This likely isn't the primary reason, but sites that don't otherwise use any CSRF protection but happen to require the old password for password changes have protected at least that one request from CSRF attacks.

freb
  • 1,421
  • 8
  • 14