The Unit of Caring

you gave me wings when you showed me birds

Am I right in thinking that if a change-your-password screen objects when I  change my password to something the same as the old password but for one character (password1 -> password2, or similar), because they want me to create a password dissimilar from previous passwords, then they’re doing something horribly wrong? Or is there some secure way to check that?

  1. kaminiwa reblogged this from fnord888 and added:
    While you’re correct that they *could* do that… I’d expect a 5% chance of that, and a 95% chance that they’re storing...
  2. fnord888 reblogged this from theunitofcaring and added:
    You’d want to do that by taking the new password you’re attempting to use, and take each of the one-character...
  3. daniel-r-h said: I did the math on this, and in theory if they’re being as secure as possible about this, they cost you an amount of entropy logarithmic in the length of the password. The actual entropy your password has is linear in length. If they also specify a long enough minimum password length, this could in theory be secure. In practice, I doubt it.
  4. musketry reblogged this from theunitofcaring and added:
    In theory they could be generating 26*8 or so passwords that are one letter off from your old one, but you are probably...
  5. seimsisk reblogged this from reavowed
  6. throne3d said: Typically, a “change password” screen asks for both the old and new passwords, and then it can check for similarities client-side without any extra insecurity over you having just entered it. It’s possible it’s doing something insecure but not absolute.
  7. thetransintransgenic said: I know Facebook processes and stores (in the same way they store passwords) versions of your password with Caps Lock on, and I think like 2 other variations.
  8. jaiwithani reblogged this from theunitofcaring and added:
    As other comments have basically said: there are tricky ways to maybe do this securely, but there’s about a 0% chance...
  9. reavowed reblogged this from theunitofcaring and added:
    Usually, a change-your-password screen would require you to enter both your old password and desired new password. This...
  10. rictic said: Seconding anthropicprincipal. This is evidence that they’re either unusually competent or typically incompetent.
  11. poipoipoi-2016 reblogged this from theunitofcaring and added:
    EDIT: In retrospect, @anthropicprincipal has the right way of thinking about it. Original Answer: I want to say so off...
  12. anthropicprincipal said: They’re not necessarily doing something horribly wrong; they could still implement that behavior even if they’re using bcrypt. (Generate all two-character variations of the new password, hash with the same salt, and see if the old hash matches any hash of a variation of the new password.) But, if they’re making you change your password for no good reason, they’re probably messing up in other ways. goo.gl/xpbFbA
  13. theunitofcaring posted this