3

The general opinion on password policies seems to be that complexity rules are counterproductive to security due to the human nature [1].

Does this also apply to password policies prohibiting the re-use of passwords that a user had on the same system? What are the actual benefits (or disadvantages) of preventing the re-use of e.g. the 3 most recently used passwords? Would it be "secure enough" to just prevent that the current and the new password are identical?

Following the gist of the answer linked above, I feel that if e.g. a specific system's user has to change his/her password every month with a password policy in place that prohibits the re-use of the 3 most recently used passwords, the user would just use the password used before the 3rd latest. Hence, cycling through a pool of 4 passwords instead of 3, adhering to the password policy but defeating the policy's purpose.

Limitation:

  • The password must be remembered and typed by a human being. Password managers with CSPRNG-passwords are not feasible in this scenario.
  • The policy to regularly change the password cannot be challenged

[1] https://security.stackexchange.com/a/32223/176023

MarkusWET
  • 35
  • 6
  • This is quite subjective due to wide scope. A system can pre-generate a list of salted-hash and use it to prevent users from using it. The similar method can prevent password recycling, however, it can be easily defeated by using a simple offset mechanism base on previous password, e.g. a -> c , 1 -> 3 , 9->11 – mootmoot Aug 14 '18 at 11:48
  • 2
    https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/ NIST actually just changed their recommendations for passwords to NOT include password rotation, for much the same reasons that you're listing here. Worth a quick read. – Monica Apologists Get Out Aug 14 '18 at 16:41
  • Thanks for the NIST link. That is actually really good input! – MarkusWET Aug 14 '18 at 17:47

3 Answers3

3

Forced password resets make passwords worse - unless users are educated otherwise (which can be non-trivial, especially in the enterprise Windows space).

Password crackers know very well most of the common schemes that users use when faced with periodic forced reset (incrementing a number, "Spring2018!" to match the 90-day cycle, etc.). Password crackers have many tools to quickly exploit these patterns. "[Current season][current year]!" is literally one of the first passwords that pentesters and crackers will try. Because of this, forced resets are an understandable but ultimately misguided cure.

The true solution is a combination of user education (teaching users to use random passphrases), and improved technology (improved UX to provide immediate feedback about exactly why a proposed password is probably bad, and - crucially - suggested alternative strategies).

On the web-application side, the improved UX is possible today, but there are no good reference implementations that I'm aware of. (We should probably make one!) But your question is almost certainly driven by a corporate use case, since most websites don't force password rotation on a scheduled basis.

For Windows interactive login (the most common corporate use case), there are OS-level (passfilt.dll) constraints on how UX can be used to provide password-specific feedback to the user. So the Windows ecosystem is currently making it hard to help corporate users pick strong passwords (which is unfortunate, because NTLM passwords are one of the faster/easier hash formats to crack!)

Royce Williams
  • 9,128
  • 1
  • 31
  • 55
  • So what I get from your and @serge-ballesta 's answers, as well as from mootmoot 's comment, limiting the re-use of X past passwords does neither help nor hinder security except giving a false sense of heightened security? – MarkusWET Aug 14 '18 at 15:28
  • In a Windows environment, limiting X past passwords - which is somewhat different from forced password resets - is usually recommended in order to prevent someone from quickly changing their password repeatedly until the X limit is reached, allowing them to use their original password. – Royce Williams Aug 23 '18 at 13:47
0

The theory is that a password should not be guessable (not in common dictionaries), should be resistent to brute force attacks (long enough), should be specific (not common to unrelated sites), should be regularly changed (to prevent shoulder surfing), and never re-used because that would defeat the previous rule. And the user should be able to remember it...

So all those damn password rules make sense, including the prevention of password recycling. The problem is that mere mortals are not good at finding good passwords. In that sense, this rule is the hardest for users to accept, because finding an acceptable password is hard, 2 or 3 requires bravery and consistency, more that 10 a year is simply impossible. Hopefully, it is generally implemented by storing the last hashes except for the last one that is asked at the same time of the new one. So having 2 unrelated password and simply adding a number is enough to meet that requirement.

The good news, is that is enough to protect against some threats: if an attacker ever got a database of hashed passwords and could decipher some of them, decent password hash schemes does not allow to guess that one single letter was changed, so the attacker has no special reason to concentrate on that password. The bad news if that an attacker ever found FooBar1 as password and the attack is human supervised, then they are likely to test FooBar2, 3, etc.

So as for the other rules, it closes some threats at the cost of user experience, and is not a silver bullet anyway. It can help, provided users are educated on the why and how(*).

The only use case where it would be really counter productive, would be if a database of old password was kept in an invertible form...

Education of users is essential in security, because if they cannot understand the why, they will just try to pass the rules, and have the password written on a paper, along with the username...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • My disagreement with your answer lies here: "So all those damn password rules make sense, including the prevention of password recycling". Yes, it makes sense, but in practice it makes security worse (see @RoyceWilliams' answer). Granted, you go into the details in the rest of your answer, but you start with what sounds like a unmitigated approval of something that is actually quite messy, and often counter-productive. – Conor Mancone Aug 14 '18 at 16:41
  • "The bad news if that an attacker ever found FooBar1 as password and the attack is human supervised, then they are likely to test FooBar2, 3, etc." This, in fact, is exactly how the gentoo github repository got hacked. A hacker identified the password of an admin for the gentoo github page from a completely different site. The admin did not reuse the same password for their github account but they were using a "password scheme" with the site name in it. From just that one password the hacker was able to successfully guess their github password. Targeted attacks **do** happen. – Conor Mancone Aug 14 '18 at 16:43
-1

This paper from some folks at CMU discusses password reuse and it's behavior: https://www.archive.ece.cmu.edu/~lbauer/papers/2017/ccs2017-password-reuse.pdf

They state "Our results show that password reuse—in both exact and partial form—is extremely rampant. Participants in our study have passwords for 26.3 web domains on average, and they appear to deal with the problem of creating and recalling these passwords by partially or exactly reusing approximately 80% of their passwords across domains."

To your question about whether or not reusing passwords makes you more or less secure. I would have to say it makes you less secure. If an attacker gains access to a password dump on site X and tries your credentials on site Y and you have recycled a password the attacker.

In the paper "The Domino Effect of Password Reuse " http://130.18.86.27/faculty/warkentin/SecurityPapers/Merrill/IvesWalshSchneider2004_CACM44_4_Domino%20Effect%20of%20Password%20Reuse.pdf they support this saying: "If users have many password-protected accounts and they reuse a password across more than one account, a hacker gaining access to one account may be able to gain access to others. If, for example, a hacker gains access to a weakly defended departmental file server and those passwords are stolen, those passwords could be used to gain access to a more secure corporate system. "

Joe M
  • 2,997
  • 1
  • 6
  • 13
  • I believe you've misunderstood the question. The OP is asking about systems which force a user to use a new password when they change their password, especially in the context of systems which require a user to change their password regularly. You are answering a question about the dangers of reusing passwords across multiple accounts (which was my first impression from the title) which is a completely different question. – Conor Mancone Aug 14 '18 at 16:34
  • Hey Conor - Thanks for the comment. I believe the question asks about overall security. So that is why I answered with the information above. – Joe M Aug 14 '18 at 16:43
  • Sorry for the confusion, I am asking for the case that @ConorMancone specified. I'll edit the original question to be more clear. – MarkusWET Aug 14 '18 at 17:45
  • In the references cited and generally in the password-research space, "password reuse" means "using the same or similar passwords across multiple systems or sites" rather than "using similar passwords over time on the same site". – Royce Williams Aug 14 '18 at 19:16