Passwords

I noticed that some web sites does not allow for the same password to be repeated by a user. I request your kind observation and insights into the following in this regard.

1. Do you really think that this is a security feature or this is a security hazard?
In my opinion, it is a feature as it is programmed in this web-site. The question is whether it is desirable. To meet this, the web-site must be keeping record of all the passwords set by all the users during the period of their usage of the web-site. I believe that this database would be maintained securely. However, if this database was broken into, then the hacker would have access to all the passwords set by the users. If the hackers study the password patterns of each user, they could be getting useful insight into the password setting pattern of the users and later exploit it to gain access to get other vital information of the users. If this be considered a decent possibility, then is this strategy not a security hazard for the users?

2. I would be interested to understand the logic behind programming this feature. What does the organisation and/or the webmaster really gain by not allowing users to reuse a password? If the database only stores the latest password and does not store the historical passwords, do you not think that the chances of breaking the encryption rules is made more difficult? Would you agree that the chances of the encryption rule being compromised is increased by storing the history of passwords and thus providing a wider sample set for study for cracking the encryption rule?
I believe that to be able to cut possibility of breaking a password when it is reused would be reduced if the encryption logic uses a key that varies with time (and now place could also be considered – physical location and/or logical location (IP Address of usage)).

Would appreciate your thoughts. What are the latest encryption standards?

Cryptographically secure pseudorandom number g...

 

Advertisements

One comment

  1. Had a very interesting conversation with my friend Nabeel in the Smoking Area. Nabeel told me that web masters insist on users not providing the same password because the hackers constantly try to break the passwords by brute force method using computer programs. They try to decipher the pattern of the secure hash algorithm or SHA. (There are the following variants of SHA – SHA-0, SHA-1, SHA-2 and SHA-3. SHA-1 is most widely used algorithm at the moment and SHA-3 is the latest, announced on 02Oct12). If the same password is used by the user then the possibility that the hacker can find a part of the password by reverse engineering the SHA-1 pattern exists. Although, hackers will take a few years to achieve this using very powerful computers, it is still a possibility. Thus, users need changing the passwords from time to time. By not allowing the user to use the same password, the web masters provide a service to the users to prevent them from potential fraud.

    However, users also need using this feature effectively. If the user maintains a constant part in the password and changes a minor part, then the utility of this feature is reduced. For example, if the first password set by the user is “ab1234” and the next is set as “ab5678”, the user is not doing a big favour to himself/herself.

    Now, comes a bigger challenge. Is it possible to provide this feature to the user (to force the change of password) without the need for the web site storing the historic passwords? Can the login programs be provided some form of artificial intelligence that they can remember the old passwords without actually storing them in a database? It has to store something. Could the computer only store some patterns of the old passwords and extrapolate whether the new password matches any of the older passwords? Can the computer actually behave like a human brain one day?

This site uses Akismet to reduce spam. Learn how your comment data is processed.