Notifying People That They Entered Old Passwords: Good or Bad?

December 06, 2012
Jason Hong

Barracuda Networks has a blog entry about how Facebook and Google now notify you if you try to login using an old password. Instead of just saying that your password is incorrect, it tells you that you entered in an old password and when the password was changed.

There are some benefits to informing people that they used an old password. Telling people that they used an old password and when it changed might prompt people to remember that they changed it and what they changed it to. The notification might also be a useful warning that their account was compromised as well.

However, the folks at Barracuda argue that revealing this kind of information is a bad thing, in that it leaks sensitive information that hackers can use to gain a few extra bits of information about an individual. While I agree in principle that information leaks are a bad thing, in this case I think the benefits of telling people that they used an old password far outweigh the potential costs. My primary rationale is that the number of attacks that a bad guy could do here is quite small, due to the number of security precautions that Facebook and Google already have in place.

For example, Facebook’s social authentication is triggered if a person logs in from an unusual geographic location or new device (see Polakis et al, 2012). So even if an attacker finds out that you’ve changed your password, they would still have to guess the actual password, as well as go through social authentication. Note that the Polakis et al paper found that, with enough effort, attackers actually can break through social authentication (they could break 22% of social authentication trials). However, it’s also worth pointing out that it took the researchers a non-trivial amount of effort to get to this level of success.

Google doesn’t have this kind of protection yet. Presumably, Google and Facebook also have some kind of monitoring system in place to detect repeated failed login attempts from the same computer, or repeated attempts on the same account, though there doesn’t seem to be any info published about it.

So, the best advice for protecting your Google docs and GMail is to use Google’s two-step verification. This enhanced authentication process will send an extra code to your phone when you login from an unusual device, making it harder for attackers to break in. If you aren’t already using Google’s two-step verification, you should, and you should do it right now.

Basically, it all boils down to your threat model. If you are worried about mass attacks, where any random hacker is trying to hack random accounts, then the few extra bits of information offered by Facebook and Google telling you that you entered in an old password isn’t a problem. On the other hand, if you are worried about a dedicated hacker who is targeting you specifically (which is relatively rare), then it offers them a eensy-teensy-little bit of extra information, which for all practical purposes doesn’t really help an attacker guess what your current password is.

So my verdict? Telling people that they entered in an old password is a good thing, in that it improves usability at extremely little cost to security.

References
Polakis et al. All Your Face Are Belong to Us: Breaking Facebook’s Social Authentication. ACSAC 2012. http://www.cs.columbia.edu/~angelos/Papers/2012/soauth-break.acsac12.pdf