It pisses me off that so many companies store a database of X number of your old passwords in the first place. Like, fuck off twerps, I probably still use those old passwords for at least 20 other logins. When your shitty database is compromised I now have to worry about all of them.
In theory, yes. But unintentional bugs and security flaws exist (cf sites like have I been pwned), and by storing old passwords next to new ones increases the impact of such bugs and flaws significantly, precisely because folks use the same password for different services. Of course people shouldn’t do that, but they do, and as a dev you should be mindful of that.
Don’t reuse passwords between different services, or after a password reset. You’re aware of exactly why that’s a bad practice (a compromise of any one of those services, or an old database of those services will expose that password), so why knowingly bear that risk?
Last time I had to implement a feature like that, I stored a substring of the old password’s hash. If one User in a million gets a False quotation Mark same Passwort quotation Mark message, I can live with it.
I probably still use those old passwords for at least 20 other logins.
Right at the top of the list of things not to do with a password.
Someone with your Amazon account might assume you use Facebook, Youtube, Steam, and every bank around your location(they know). There’s 2factor, but not everywhere
I mean, that’s true if you reuse your passwords instead of using a password manager that can generate random gibberish… Which is itself a very poor habit exactly because of this very fact?
Even assuming a company follows best practices (a bold assumption that is wholly inconsistent with reality) there’s ALWAYS a possibility of a breach - and it’s not if, it’s only when.
So, everyone should be using a password manager by default.
I like to use keepassXC personally because it’s fully under my control. I don’t really care for ones that are hosted by 3rd parties because that introduces more risk if they get beached, but for many people that’s fine; it’s more convenient for the user. To me it’s important enough that I manage it all locally.
The pain with email maskers is when a service doesn’t accept the email as valid… I have 2-3 I use. I start with blur (abine/ironvest, whatever you call it these days) and if it doesn’t work I go to my bench warmers.
It pisses me off that so many companies store a database of X number of your old passwords in the first place. Like, fuck off twerps, I probably still use those old passwords for at least 20 other logins. When your shitty database is compromised I now have to worry about all of them.
The old passwords don’t have to be stored in plain text. They can still be hashed and salted.
In theory, yes. But unintentional bugs and security flaws exist (cf sites like have I been pwned), and by storing old passwords next to new ones increases the impact of such bugs and flaws significantly, precisely because folks use the same password for different services. Of course people shouldn’t do that, but they do, and as a dev you should be mindful of that.
You’re like, so close.
Don’t reuse passwords between different services, or after a password reset. You’re aware of exactly why that’s a bad practice (a compromise of any one of those services, or an old database of those services will expose that password), so why knowingly bear that risk?
Last time I had to implement a feature like that, I stored a substring of the old password’s hash. If one User in a million gets a False quotation Mark same Passwort quotation Mark message, I can live with it.
Hey, İ know quotation marks are expensive, but since I like your attitude to keeping your users secure you can have some of mine: " " " " "
You can just paste copy them into your next post.
I would like to donate as well:
" " " " ’ ’ “ ” « » ` `
Right at the top of the list of things not to do with a password.
Someone with your Amazon account might assume you use Facebook, Youtube, Steam, and every bank around your location(they know). There’s 2factor, but not everywhere
I mean, that’s true if you reuse your passwords instead of using a password manager that can generate random gibberish… Which is itself a very poor habit exactly because of this very fact?
Even assuming a company follows best practices (a bold assumption that is wholly inconsistent with reality) there’s ALWAYS a possibility of a breach - and it’s not if, it’s only when.
So, everyone should be using a password manager by default.
I like to use keepassXC personally because it’s fully under my control. I don’t really care for ones that are hosted by 3rd parties because that introduces more risk if they get beached, but for many people that’s fine; it’s more convenient for the user. To me it’s important enough that I manage it all locally.
And an email mask. Life is easier if you can reset a password and change your email after a breach and have the old email disabled and disappear.
Agreed!
The pain with email maskers is when a service doesn’t accept the email as valid… I have 2-3 I use. I start with blur (abine/ironvest, whatever you call it these days) and if it doesn’t work I go to my bench warmers.
My soul cries for you.
Password managers are your friend 🙏