up vote 26 down vote favorite
4

An answer to this question says Facebook generates a bunch of password guesses to see if they hash the same as a previous version of the password.

Why bother? If a service forces every password to have sufficient length and complexity, why should it care if the changed password is similar to the previous password, since in theory each password is already sufficiently long and complex to meet security requirements?

Does Facebook's policy really prevent some kind of attack where hackers start with long complex password guesses and then try minor variations, or is it just an irritant for users, preventing them from using what are actually sufficiently good new passwords?

share|improve this question
up vote 45 down vote accepted

Because if Facebook can algorithmically produce similar passwords, then so can a password cracker.

The sequence could go like this: Password compromised -> user changes it to something similar -> new password compromised algorithmically by trying similar passwords to known previous one.

Also, imagine a scenario where an account is being specifically targeted by an actual human being. The attacker may know previous passwords or have an idea what they roughly could have been (e.g. the account owner's ex romantic partner or something). In this case, a password that was similar to a previous one would be more likely to be guessed.

share|improve this answer
2  
Step 1 ("password compromised") is what makes this seem like a lot of bother for nothing. If it was Facebook's fault an original password was leaked, then there was a bigger problem that new password checking didn't solve anyway. If it's the user's fault the original password was leaked, Facebook can't stop the user from making the same mistake with a new password no matter how different it is. ("We've forced you to use an unusual password. You're not going to write it on that postit stuck to your computer, right?") It seems password similarity checks mostly give a false sense of security. – Witness Protection ID 44583292 Mar 19 '14 at 23:01
6  
It doesn't matter to the security question whose "fault" the exposure was. It is a lot easier to help a user generate a good password at creation time when you can see the plain-text than afterwards by reproducing the password cracking process. – Slartibartfast Mar 20 '14 at 1:40
    
What I do not understand is how can it help? AFAIK passwords are stored using one way functions with salt. So even if an attacker got the hashes, how could he derive the original text for it to even matter? – One-One Mar 20 '14 at 8:47
6  
@One-One By 'compromised', Hugh means the plaintext is known. User changes it. Attacker guesses the user has changed it to something similar, so attacker tries similar passwords. – OJFord Mar 23 '14 at 5:59
1  
@One-One Maybe you used the same password on a random site that stored the password in plaintext, and it got compromised... – Bakuriu Sep 23 '16 at 14:59

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.