Why do we ask for a user's existing password when changing their password?

Question

In a web applications context, when a user wants to change their current password, generally they would have to enter their current password first. However at this point, the user has already been authenticated using their current password to log in.

I somewhat understand the existing password is required to prevent malicious users (who may access the current session on the user's machine) from changing the password. However can't this argument be used in any situation? Why not ask for the password every time a request for sensitive information is made? How is the act of changing a password any different?

Regarding the last part of the question, my university uses a web application for the profs to assign the grades, and when you want to enter or submit grades, your password is requested. So yes, it does happen that the password is requested for other sensitve tasks. — Martin Argerami, Nov 21 '12 at 14:05
Requiring re-authentication provides an added defense against Cross Site Request Forgeries (CSRF) which, given the context of changing the password, would be especially devastating. — Moses, Nov 21 '12 at 21:17
In the olden days (when people shared accounts a lot) re-entering the password was a means of [optimistic concurrency control](https://en.wikipedia.org/wiki/Optimistic_concurrency_control) as well; if someone else had already changed the password, you wouldn't be able to change it again. — John Wu, Mar 01 '17 at 08:02

score 55 · Accepted Answer · answered Nov 21 '12 at 05:01

55

If a user leaves their computer unattended for a few minutes (while logged in), we don't want someone else to be able to walk by and quickly change their password. For one thing, this would allow the attacker to change the associated email address, too, and now the legitimate owner is never getting his/her account back.

For another thing, just think of the potential for office pranks!

Changing your password is a sensitive enough operation that it makes sense to require the user to re-authenticate. And, since changing your password is a relatively rare operation, this doesn't introduce much inconvenience for users: it only changes the user experience in the rare cases where you change your password.

answered Nov 21 '12 at 05:01

D.W.

98,860
33
271
588

2

Yep, convenience kills security, something we keep failing to learn. Hence entering the old password to authenticate that the person at least knows the old password. I had a period where office pranksters would get up to various devilment, the final straw being a lockout caused on a vendor website where a single account was shared company wide. It's amazing how easy it is to set up six separate accounts and keep passwords to yourselves after your days purchasing and sales information gets cut off while you play phone tag with the help desk tech on the other end. They'd a loved no barrier... – Fiasco Labs Nov 21 '12 at 07:24
Why this is not the case with Windows when using the command prompt? Anyone can open a command prompt with Admin privileges and run net user ... to change the password without requiring the old password – s.ouchene Sep 18 '21 at 08:17

Thomas Pornin · Answer 2 · 2012-11-25T03:24:35.963

32

Apart from the security motivation expressed by other answers (because the password is very sensitive and we do not want someone gaining transient access, e.g. a lunch-time raid, to transform it into permanent access), there can be practical issues. For instance, in systems where there are password-encrypted user secrets, the old password is needed in order to decrypt such data and reencrypt it with the new password. This is exactly what happens on Windows operating systems (it is one of the big differences with the Unix security model), and it may apply to some Web-based systems as well (depending on what the Web-based system does).

edited Nov 25 '12 at 03:24

answered Nov 21 '12 at 12:33

Thomas Pornin

322,884
58
787
955

1

I was going to include this, because I just implemented a password-based encryption for some third-party credentials in our user accounts. Changing either the password or these third-party credentials requires knowing the old one in order to decrypt the data so it can be changed and/or reencrypted. – KeithS Nov 21 '12 at 16:07
Why do you say it's different from Unix? That's exactly what Gnome (and probably KDE and OS/X as well) do with their key rings and/or encrypted directories (as PAM modules). – Stéphane Chazelas Jan 31 '14 at 07:07

score 25 · Answer 3 · answered Nov 21 '12 at 07:38

This is called the TOCTOU principle (Time of Check / Time of Use), which means that the authentication assurance of the user's identity (i.e. the user is still the same user that authenticated to the system) is too low to allow him to perform some actions, such as changing password or redefining the identity.

To make sure that the authentication assurance level is as high as possible when critical actions are done, the "delta TOCTOU", time between check of credentials and use of their privilege, must be as short as possible to prevent the issues addressed by D.W.

For me, this is an obvious example of an adjustable compromise between security and usability.

score 8 · Answer 4 · answered Nov 21 '12 at 21:04

Another side reason why the old password may be needed is when the passwords are hashed, and you want to check that the new password is not too similar from the old one, you have to ask the user, as you can't get that information otherwise from the hashed password.

score 5 · Answer 5 · edited May 17 '16 at 19:39

5

Like the above answers have hinted, it's about limiting damage.

Another example would be if you just had the password reset feature implemented as a call to http://www.example.com/changepassword.php?newpassword=monkey then I could make a link like that, hide it as a tinyurl or something and send someone I wanted to hack such a link, and if they click it while logged in then I've locked them out of their account and taken it over.

edited May 17 '16 at 19:39

Mark Stewart

159
1
2
15

answered Nov 21 '12 at 10:55

2

This is called a [Cross-Site Request Forgery (CSRF)](http://en.wikipedia.org/wiki/Cross-site_request_forgery). – Polynomial Nov 21 '12 at 16:28
@Polynomial, And it scarily is exploitable for about everything even in major web applications. – Pacerier Jan 31 '14 at 04:48

score 2 · Answer 6 · edited Nov 25 '12 at 07:08

2

If the application does not use CSRF (cross site request forgery) token, then the password can easily be updated by attacker just by sending a link. And also it will be very helpful if any user is getting access to our session then he will not be able to update password.

edited Nov 25 '12 at 07:08

Craig Curtis

699
1
7
11

answered Nov 25 '12 at 04:06

dany

193
7

saaj · Answer 7 · 2019-08-23T13:55:02.330

I was looking for a standard, guideline or at least a recognised term for the "sensitive action confirmation". What I found is OWASP Authentication cheat sheet and Require Re-authentication for Sensitive Features section there. In summary the attack surface looks like:

CSRF
XSS
Session hijacking including temporary physical access to a user's browser

For sensitive features requiring the current credentials for an account (read current password in most cases) mitigates the risk of the above attacks.

Some products and services (see below) allow you to define sensitive resources and require re-authentication or step-up (user to provide additional authentication factor).

Also note that UI-level enforcement is not recommended. Here Auth0 has example how to issue a dedicated token for particular sensitive resource with their client library.

Reference:

Configure Re-authentication for Sensitive Resources (Broadcom SSO product manual)
Step-up Authentication (Auth0 docs)

Why do we ask for a user's existing password when changing their password?

7 Answers7

Linked