Friday, October 14, 2011

Facebook password history...

"Unfortunately you have provided an old password. Your password was last changed yesterday at 07:52. If you don't remember making this change, please click here".

First thought: WTF does Facebook tell me this????

Second thought: Good, they seem to have some password history going on. Got to test that later on, by trying to change back to my old password. I guess they don't block that quite yet.

Third thought: This is good from a usability perspective. They've got quite a few users (...), this will make it easier for them to actually change their passwords whenever they feel the need to do so, and handle it afterwards.

Fourth thought: A bruteforce attack against known logins will eventually succeed, but it may also reveal one or more previously used passwords, enabling several methods of pattern-based password analysis to improve the chances of an attacker figuring out the correct password faster and with less attempts then from a blind start.

Not good.

Any opinions?