Friday, October 14, 2011

Facebook password history...

"Unfortunately you have provided an old password. Your password was last changed yesterday at 07:52. If you don't remember making this change, please click here".

First thought: WTF does Facebook tell me this????

Second thought: Good, they seem to have some password history going on. Got to test that later on, by trying to change back to my old password. I guess they don't block that quite yet.

Third thought: This is good from a usability perspective. They've got quite a few users (...), this will make it easier for them to actually change their passwords whenever they feel the need to do so, and handle it afterwards.

Fourth thought: A bruteforce attack against known logins will eventually succeed, but it may also reveal one or more previously used passwords, enabling several methods of pattern-based password analysis to improve the chances of an attacker figuring out the correct password faster and with less attempts then from a blind start.

Not good.

Any opinions?


  1. Hey Per, I think this is actually very important for Facebook to do. When someone's account is compromised one common technique that attackers use is to change the user's password so they can't log back in. This generally results in the legitimate user trying to log in and failing. The first thing a typical user does then is assume they just forgot their password (because that never happens). If the user is proactive enough to use the 'forgot my password link' they then find that their password recovery options were also changed, which leads to even more confusion.

    What Facebook is doing there though is letting people know that their account was probably hacked, (in the gentlest way possible so not to alarm people who accidentally were trying to log in with an old password), and it provides them a link to recover their stolen account. I have to imagine the usability/security provided by this is much greater than the risk of leaking info about a user's old password, (especially with Facebook limiting brute force guessing attacks by adding a CAPTCHA requirement after about 10 bad guesses).

  2. Hm. Good point Matt, and a gentle way to say that "your account may have been hacked", without actually telling the user so, in case the user just forgot to use the new password set.

    The rate limiting including CAPTCHA is interesting, I remember I got a reply from Socialcast some time ago about them using rate limiting solutions as well.

    I wonder though if those rate limitations are applied per user, or based on src.ip? What if I utilized a botnet or... TOR... to do a very limited number of guesses per account, but towards a very large number of accounts?

    I think I can agree on the usability/security aspect as you suggest, at least in the case of Facebook.

    Not that I care about Facebook accounts at all, but towards a large corporation, gaining access as a single user will in many cases be a solid foundation for rather quick privilege / info escalation.


    Oh, and all those corporations using Activesync with AD usr/pass from employee smartphones to their OWA server.... They probably don't have any smart rate limiting except for the rather standard AD policies, which are easy to figure out - and circumvent.


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.