• psycho_driver@lemmy.world
    link
    fedilink
    arrow-up
    50
    arrow-down
    3
    ·
    edit-2
    14 days ago

    It pisses me off that so many companies store a database of X number of your old passwords in the first place. Like, fuck off twerps, I probably still use those old passwords for at least 20 other logins. When your shitty database is compromised I now have to worry about all of them.

    • tfmA
      link
      fedilink
      arrow-up
      20
      ·
      14 days ago

      The old passwords don’t have to be stored in plain text. They can still be hashed and salted.

      • wpb@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        13 days ago

        In theory, yes. But unintentional bugs and security flaws exist (cf sites like have I been pwned), and by storing old passwords next to new ones increases the impact of such bugs and flaws significantly, precisely because folks use the same password for different services. Of course people shouldn’t do that, but they do, and as a dev you should be mindful of that.

    • GamingChairModel@lemmy.world
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      14 days ago

      You’re like, so close.

      Don’t reuse passwords between different services, or after a password reset. You’re aware of exactly why that’s a bad practice (a compromise of any one of those services, or an old database of those services will expose that password), so why knowingly bear that risk?

    • wulrus@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      14 days ago

      Last time I had to implement a feature like that, I stored a substring of the old password’s hash. If one User in a million gets a False quotation Mark same Passwort quotation Mark message, I can live with it.

      • chillhelm@lemmy.world
        link
        fedilink
        arrow-up
        8
        ·
        edit-2
        13 days ago

        Hey, İ know quotation marks are expensive, but since I like your attitude to keeping your users secure you can have some of mine: " " " " "

        You can just paste copy them into your next post.

    • Vanilla_PuddinFudge@infosec.pub
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      edit-2
      13 days ago

      I probably still use those old passwords for at least 20 other logins.

      Right at the top of the list of things not to do with a password.

      Someone with your Amazon account might assume you use Facebook, Youtube, Steam, and every bank around your location(they know). There’s 2factor, but not everywhere

    • pishadoot@sh.itjust.works
      link
      fedilink
      arrow-up
      5
      ·
      14 days ago

      I mean, that’s true if you reuse your passwords instead of using a password manager that can generate random gibberish… Which is itself a very poor habit exactly because of this very fact?

      Even assuming a company follows best practices (a bold assumption that is wholly inconsistent with reality) there’s ALWAYS a possibility of a breach - and it’s not if, it’s only when.

      So, everyone should be using a password manager by default.

      I like to use keepassXC personally because it’s fully under my control. I don’t really care for ones that are hosted by 3rd parties because that introduces more risk if they get beached, but for many people that’s fine; it’s more convenient for the user. To me it’s important enough that I manage it all locally.

      • AugustWest@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        13 days ago

        So, everyone should be using a password manager by default.

        And an email mask. Life is easier if you can reset a password and change your email after a breach and have the old email disabled and disappear.

        • pishadoot@sh.itjust.works
          link
          fedilink
          arrow-up
          1
          ·
          13 days ago

          Agreed!

          The pain with email maskers is when a service doesn’t accept the email as valid… I have 2-3 I use. I start with blur (abine/ironvest, whatever you call it these days) and if it doesn’t work I go to my bench warmers.

    • Smee@poeng.link
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      13 days ago

      I probably still use those old passwords for at least 20 other logins.

      My soul cries for you.