Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <97ba5f02-eb94-1c3f-c97d-08af39b7c550@bestmx.net>
Date: Wed, 16 May 2018 14:18:16 +0200
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Re: Keeping old passwords

On 05/16/2018 02:00 PM, Denny O'Breham wrote:
> I  came about a Google methodology that I find strange.  The fact that
> it is Google worries me a little bit more.  I was wondering what
> people here thought about that.

Google use these passwords for PASSWORD RECOVERY!!!
what do i think?
it is infuriating!!!
google is both EVIL AND STUPID.


> 1- Is it a good idea to keep old passwords

if you are not google (i.e. do not have evil plans against your users)
there is no reason for you to keep old passwords.
if a user changed his password it is assumed compromised,
which renders it useless for any non-malevolent purposes.

> 2- Telling a user a different messages when he successfully enters an
> old password is insane.

yes it is insane, it pours your password information on your enemies.


> The fact that Google can force a user to change it, guess
> what? It is more than probable that the user is still using this old
> password on other websites.

you are onto something :)

actually, whenever you force a user to do something
you damage his defensive security strategy

and my guess is in agreement with yours
google does it intentionally.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.