2

By saving all the passwords for all users forever, are companies accidentally creating a less secure environment?

Related to this question: Why do some sites prevent users from reusing their old passwords?

I understand that companies feel that they need to be protected, but by everyone taking the same strategy, it creates a poor security environment. It seems less secure to me. Am I missing something?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Lazetti
  • 21
  • 3
  • to answer the question: they don't want you swapping two or rotating out many passwords; reusing the old one(s) each password change, because then a password change isn't really a password change, it's a facade. I'm not saying it's bullet-proof logic, but it's why they do it. – dandavis Sep 15 '20 at 21:41
  • 1
    I know the original post was long, but the question is a caveat to the related question. @dandavis was confused by the way I asked my question, and I realize that I didn't ask my question in the best way. How would you phrase the question? I know the reason for passwords, but if everyone does their passwords the same way, and one site gets hacked, all the passwords for each user are compromised. One could reasonably guess methods to hack other accounts (because most people use similar username/passwords). – Lazetti Sep 16 '20 at 22:06
  • @mti2935, I only operate on a small scale for passwords, so I have limited knowledge of the problem domain common knowledge. How long does it take to process a single password using one of those passwords? I'm not talking about cracking password manager PWs, hackers just need to break the bottom 50 percentile of passwords and it can wreck the password ecosystem so badly that password complexity has to go beyond what a normal person can remember. Is it a vulnerability to the entire ecosystem of passwords to contain all passwords each person uses? – Lazetti Sep 16 '20 at 22:12
  • 1
    @Lazetti, I think many people here would argue that password complexity _should_ go far beyond what any person can remember. I say you should only know two passwords: The one to log into your computer, and the one to log into your password manager, and these should be Correct Horse Battery Staple types of passwords. All others should be randomly generated and unique. – Ghedipunk Sep 17 '20 at 01:14
  • 1
    "by everyone doing the same thing..." -- does everyone do the same thing? Or is this a thought exercise? – schroeder Sep 17 '20 at 07:09
  • 1
    @Lazetti see https://security.stackexchange.com/questions/95758/how-secure-is-scrypt-really to get an idea of how much time/resources it would take to crack various length passwords hashed using various hashing algorithms. The idea is that all servers should store users' passwords in this manner. This way, even if the password database is leaked, it's very difficult for an attacker to recover the underlying passwords. – mti2935 Sep 17 '20 at 13:00
  • @shroeder Maybe not exactly the same thing, but they all tend to play by similar rules. If enough people don't have diversity in their decisions, which seems to me to be difficult to do with password mechanics, then we can ruin tables of passwords. – Lazetti Sep 19 '20 at 14:28
  • @mti2935, Thanks for that table. I am skeptical of estimates and not everybody implements security they way they 'should' do it. But it's very meaningful still to show relative complexity. – Lazetti Sep 19 '20 at 14:34

2 Answers2

1

Just to be clear, they shouldn't be storing previous passwords, but hashes, preferably salted. Storing a password in plaintext is a no-no. Storing hashes for the last few passwords may be reasonable although debatable. Storing the whole history sounds overkill. You are wasting storage in a vain attempt to protect people from themselves.

Too many password policies are outdated or downright nonsensical. Insisting on special characters or non-intuitive patterns is indeed a reason why people rotate their passwords or they change just one character. The result is that they end up using predictable patterns. Whereas a passphrase long enough would be more memorable and as secure. The longer it is, the harder it would be reverse it from a stolen hash. Ironically, many sites don't allow long passwords, like > 20 chars.

Which leads us to another question (that was not asked). Does it make sense to force people to change their passwords every 3 months or so (which is the main reason why that "password history" exists in the first place) ? If people were using unique passwords for each site, then there would be less worry about a password being compromised at one particular place. (A simple solutions exists: using a password manager).

To answer the question: that could be a possible security risk, depending on implementation. Storing plaintext passwords: red flag. Storing salted hashes: better. But what are they actually achieving in terms of security ? Very little I'm afraid.

Kate
  • 7,092
  • 21
  • 23
  • I know that they are hashes. The problem I see is WHEN someone inevitably gets hacked and loses pages of hashed passwords, hackers can run them on local machines and crack them with brute force techniques. (Which may easily be misunderstood by my question, but it gets closed if I include too much info...) And the fact is users do use the same passwords across sites. You can't engineer out this behavior. You can only build your advice around this habit. – Lazetti Sep 19 '20 at 14:01
1

If you store all the password history of a user, by mitigating one weakness you end up introducing another.

Weakness 1: users might reuse old passwords, possibly invalidating a security control (the security control that was meant to stop attackers from getting persistent access once they have stolen a password).

Weakness 2: all the history of passwords is stored in the database, so in case of a leak the attacker will gain a lot more information, possibly even stealing old passwords that a user might still use somewhere else. Imagine this password history: ['stackEx178', 'stackEx179', 'reedStackEx!', 'f8o17dh4m834H', 'r837cbKeTW7p9']. It looks like the user at some point started to use better passwords, maybe they even learned (or they were forced to learn) to use different passwords on different websites... but the old passwords (or similar passwords based on the old bad habits) might still be in use on some other websites.

By trying to mitigate weakness #1 (deciding to store all the passwords) you end up introducing weakness #2. However, I'm not sure which weakness would be the worst. Is it better to let users reuse the passwords? Or is it better to risk leaking the full history of passwords in case of an attack? I don't know.

All I can say is that by using very strong hash functions (with salt and pepper), you might be able to contain the damage in case of a leak. And by implementing some kind of access monitoring you might be able to mitigate the risk of stolen credentials without relying on regular password changes. I personally wouldn't like to store old passwords in the database forever, and would prefer investing more resources on some kind of access monitoring, suspicious behavior detection, and user training if possible.

reed
  • 15,538
  • 6
  • 44
  • 65
  • Persistent access: Is that the goal of changing passwords? I thought that changing passwords was a means to prevent dictionary-type attacks. Which isn't that better stopped by the server watching for which accounts are getting flagged with wrong passwords? I personally think that its a users responsibility to manage the safety of their passwords. Anything you can do to empower them would be the best solution. Giving them the option to delete their old passwords while educating them on the potential tradeoffs. Because there definitely isn't one correct answer here. – Lazetti Sep 19 '20 at 14:13
  • @Lazetti, about the reason for changing passwords, it's also written in the accepted answer of the related question that you linked in your question. You can change passwords regularly to stop an attacker from being able to use them, in case they have managed to steal them (and you are not aware of it). So if I steal your password and you change it every month, I will be able to use it for no more than 1 month. Your mileage may vary though, because if for example your password allowed me to install a keylogger and a backdoor, you'll be out of luck. – reed Sep 19 '20 at 22:45