Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180516200857.GA12506@openwall.com>
Date: Wed, 16 May 2018 22:08:57 +0200
From: Solar Designer <solar@...nwall.com>
To: passwords@...ts.openwall.com
Subject: Re: Keeping old passwords

On Wed, May 16, 2018 at 12:04:32PM -0400, Matt Weir wrote:
> While I'm not privy to Google's risk analysis, they have mentioned in
> the past the steps they try an take to prevent offline attacks against
> password hashes.

Did they?  Can you post some links, please?

> My guess is their main concern is with data leaked to online attacks.

I think so too - more specifically, it's unauthorized logins using same
passwords reused on other (non-Google) services.  I recall this being
mentioned as the primary problem with passwords in a Googler's talk some
years ago.  But I am unaware of them publicly describing their measures
against offline attacks.

I don't know what Google does, but it is possible they don't store past
password (hashes) indefinitely unless it's a password they suspect was
compromised (such as in Denny's example).  Or do we know they don't
permit reverting to an old password on a Google account even when there
was no indication that anything looked suspicious to them?

FWIW, I'm generally against password histories.

Now, with my list moderator hat on, since I am posting a message to this
thread anyway:

I suspect at least one person is unhappy with this list's moderation -
I rejected a message that said only the below:

"Google has no regard for common sense when it comes to security. Why would this be any exception?"

I understand that my rejecting this (which I did for the message lacking
on-topic content) yet letting all of e's messages through looks weird at
least to that one person.  A reason for the discrepancy is that the list
is actually not pre-moderated for subscribers, and the only reason that
person's message was held for moderation was that it was sent from a
non-subscribed envelope-from address.  Also, if it contained on-topic
content in addition to that off-topic line, I'd probably let it through
(just like I'm OK with quoting that line in this longer message).

Probably there are also people unhappy with some of this getting
through, but I am not going to apply more subjective criteria nor set
the list to pre-moderated even for subscribers just yet.

Indeed, a one-line message isn't worth a multi-paragraph explanation
above (I could as well optimize by letting the message through and not
explaining), but I use this opportunity to explain how the list is run.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.