33

An answer to this question says Facebook generates a bunch of password guesses to see if they hash the same as a previous version of the password.

Why bother? If a service forces every password to have sufficient length and complexity, why should it care if the changed password is similar to the previous password, since in theory each password is already sufficiently long and complex to meet security requirements?

Does Facebook's policy really prevent some kind of attack where hackers start with long complex password guesses and then try minor variations, or is it just an irritant for users, preventing them from using what are actually sufficiently good new passwords?

Community
  • 1
Witness Protection ID 44583292
  • 431
  • 4
  • 5

2 Answers2

52

Because if Facebook can algorithmically produce similar passwords, then so can a password cracker.

The sequence could go like this: Password compromised -> user changes it to something similar -> new password compromised algorithmically by trying similar passwords to known previous one.

Also, imagine a scenario where an account is being specifically targeted by an actual human being. The attacker may know previous passwords or have an idea what they roughly could have been (e.g. the account owner's ex romantic partner or something). In this case, a password that was similar to a previous one would be more likely to be guessed.

MHG
  • 777
  • 7
  • 7
  • 3
    Step 1 ("password compromised") is what makes this seem like a lot of bother for nothing. If it was Facebook's fault an original password was leaked, then there was a bigger problem that new password checking didn't solve anyway. If it's the user's fault the original password was leaked, Facebook can't stop the user from making the same mistake with a new password no matter how different it is. ("We've forced you to use an unusual password. You're not going to write it on that postit stuck to your computer, right?") It seems password similarity checks mostly give a false sense of security. – Witness Protection ID 44583292 Mar 19 '14 at 23:01
  • 8
    It doesn't matter to the security question whose "fault" the exposure was. It is a lot easier to help a user generate a good password at creation time when you can see the plain-text than afterwards by reproducing the password cracking process. – Slartibartfast Mar 20 '14 at 01:40
  • What I do not understand is how can it help? AFAIK passwords are stored using one way functions with salt. So even if an attacker got the hashes, how could he derive the original text for it to even matter? – One-One Mar 20 '14 at 08:47
  • http://security.stackexchange.com/a/53483/41913 – Craig Tullis Mar 20 '14 at 09:26
  • 7
    @One-One By 'compromised', Hugh means the plaintext is known. User changes it. Attacker guesses the user has changed it to something similar, so attacker tries similar passwords. – OJFord Mar 23 '14 at 05:59
  • 1
    @One-One Maybe you used the same password on a random site that stored the password in plaintext, and it got compromised... – Bakuriu Sep 23 '16 at 14:59
  • 1
    @One-One *"AFAIK passwords are stored using one way functions with salt. So even if an attacker got the hashes, how could he derive the original text for it to even matter? "* By quickly trying all 23 million known passwords that have ever leaked, as well as trying every word, with every possible combination of 1337-speek, and all combination of 2 character suffixes. That 2 or 3 seconds of work will probably have found your password. – Ian Boyd Jan 23 '19 at 16:32
1

Because users can easily circumvent the old-password policy by changing one character. Since you store hashes, and hashes change dramatically on small changes on the source, you have no way to measure the "distance" between different hashed passwords.

Easy example I have seen in my life: you have forced Alice to use a strong password made by letters, numbers a and symbols, so here is her password

V@nillaSky2017

After 3 months it is time for Alice to change her password. Same criteria

And the new password iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiis.................

V@nillaSky2018

#epicfail nothing else to comment

usr-local-ΕΨΗΕΛΩΝ
  • 5,361
  • 2
  • 18
  • 35