-1

What are the risks of storing (in hashes I guess) all the old passwords? Why would a company chose to not delete old passwords? Why not let users reuse old passwords?

whatever489
  • 838
  • 3
  • 9
  • 21
  • Does the application also force you to change your password at regular intervals? – Philipp Jun 18 '16 at 11:16
  • @Philipp no it doesn't. I forgot my password so wanted to reset it, and then set a new password but it was refused because it was my initial password. – whatever489 Jun 18 '16 at 11:20

2 Answers2

2

What are the risks of storing (in hashes I guess) all the old passwords?

The risks are very low, since the old passwords will not allow access to the account.

Why would a company chose to not delete old passwords?

Companies store old password hashes so they can check to make sure that you do not reuse x number of old passwords.

Why not let users reuse old passwords?

Password cracking takes time. If the attackers managed to obtain the password hash, they can crack it offline. Assume it took them 10 months to crack the password. If your company forces you to change it every 6 months, they will not be able to access your account after cracking since the password has already been changed. However, if you are allowed to reuse your old password, attackers can access your account.

Secondly, your plaintext password might have already been leaked and attackers might already be accessing your data right now. If you reuse your password for the next 10 years, attackers will continue to have access to your data for the next 10 years. If you change it every 6 months, you can at least minimize the timeframe and amount of data the attacker could have stolen.

limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281
1

What are the risks of storing (in hashes I guess) all the old passwords?

see here

But just because you cannot use your old password doesn't mean that they necessarily store all the old passwords. They could just hash the password you provided and compare it to the stored hash.

Why would a company chose to not delete old passwords?

To prevent you from using an old password.

Why not let users reuse old passwords?

It defeats the whole purpose of changing a password.

A password may be changed if the old password is lost or compromised. At least in the second case, you really do not want to allow password reuse.

tim
  • 29,018
  • 7
  • 95
  • 119