12

My bank requires me to change my password regularly but then they can detect if my password was used before. They probably store the old password (possibly hashed) in order to detect it. I think this defeats the purpose of password change since old passwords are still stored.

Is storing old passwords even if hashed for the purpose of forcing new passwords generally okay? Or it defeats the purpose?

eightShirt
  • 313
  • 1
  • 3
  • 12
IMB
  • 2,908
  • 6
  • 28
  • 42

2 Answers2

21

The bank keeps your previous passwords (or hashes thereof) to force you to change your password, but it does not mean that they would accept an old password as valid authentication. The important point is: the bank wants to protect access, but it has no interest in protecting your older passwords per se. For the bank, the old password is no longer sensitive data, since it does not grant access to the bank.

Well, actually, old passwords are somewhat sensitive because users are users, and thus they:

  1. reuse passwords for other sites;
  2. "generate" successive passwords with "witty" procedures, as opposed to what they should do, i.e. random procedures. If an attacker learns that your two previous passwords are "sleepy" and "sneezy", he may try "grumpy" and "happy" as potential passwords).

So a bank which keeps traces of old passwords around should protect them adequately, i.e. as if they were still active passwords (hence store only hashes, with a slow hash and a lot of salt). But that's indirect. By itself, learning an old password does not give any special power to the attacker, at least from the point of view of the bank.


Forcing password changes on users is, at best, a procedure of dubious value. It may enhance security only if we assume that the previous password was indeed stolen at some point. In other words, it has security benefits only if a constant, non-null amount of fraudulent accesses is occurring and the server has learned to tolerate it, and just wants to keep it low. This is not very reassuring, for a bank. In all other cases, forcing a password update just antagonizes users, and that's never a good thing. See this previous question for more opinions on the subject.

Most places where passwords must be changed regularly do so mostly because it is technically possible, and out of respect for a fuzzy tradition which is never uttered with clarity. At my work place, passwords must be changed every 42 days, must be distinct from the last 24 passwords, and, last but not least, when I change my password I am not allowed to change it again for the next three days (I have never understood what reasoning may have gone through the mind of the people who established such a rule; I find no benefit for it in any situation, even far-fetched; it is just irksome, and I must assume it was meant to keep me angry).

But, if the bank nevertheless wishes to force password updates, then keeping around old password hashes makes sense: it does not weaken the security of the bank's site and it is the only way to enforce a policy of distinct passwords.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • 4
    So, if password is compromised within 3 days you can't help fix it by changing the password? – ewanm89 Aug 30 '12 at 12:05
  • 2
    The strange windows of when you can update passwords are designed to prevent you cycling back around to your 'favourite' passwords after every required change. In the environment you describe (history 24, wow) this may not be a valid concern. – adric Aug 30 '12 at 12:20
  • Wow. Three days? I've heard of restricting to change only once per day, but I don't quite understand three days. 42 day expiration and 24 password history is a common standard, though. I forget whether I saw it in NIST or CIS, or both. – Iszi Aug 30 '12 at 12:42
  • 4
    Just checked. NIST says 60 days expiration, 24 password history. CIS has the same password history, with 90 days expiration. 42 day expiration and 24 password history is actually Windows' default. Since the Windows defaults are technically compliant in this regard, some System Administrators just don't bother changing them. NIST and CIS both recommend a 1 day minimum password life - Windows default is zero. I really don't know who goes for 3 days minimum. – Iszi Aug 30 '12 at 12:48
  • 1
    The minimum time would protect against smart people who know that they only have to change their password 24 times in order to be allowed their old one. – Simon Richter Aug 30 '12 at 16:35
  • Oh, and it works around broken replication. – Simon Richter Aug 30 '12 at 16:36
2

Those stored passwords are only used to check if you new password would match any of them and restrict such use. They're never used to allow you authenticate, so it doesn't impact security of using new password and defeats possible attempt to just bruteforce it in time.

The only downside in this scheme is that if this storage of old passwords is compromised, it may give more information about real "in-the-wild" passwords to be included in dictionaries and tried somewhere else, than just storing current password. That, of course, providing hacker would spend time bruteforcing it too or if hashing used in storage is weak.

Oleg V. Volkov
  • 799
  • 5
  • 11
  • 3
    Or it may give the users' password for accounts on other services, who here hasn't honestly used the same password on multiple services? Raise our hand, all of you ;) Yes we've all done it at some point, even those of us who know better. – ewanm89 Aug 30 '12 at 11:02
  • @ewanm89, I consider this part of 'more information about real "in-the-wild" passwords'. I've added a little clarification. – Oleg V. Volkov Aug 30 '12 at 11:15