Friday, October 14, 2011
Facebook password history...
"Unfortunately you have provided an old password. Your password was last changed yesterday at 07:52. If you don't remember making this change, please click here".
First thought: WTF does Facebook tell me this????
Second thought: Good, they seem to have some password history going on. Got to test that later on, by trying to change back to my old password. I guess they don't block that quite yet.
Third thought: This is good from a usability perspective. They've got quite a few users (...), this will make it easier for them to actually change their passwords whenever they feel the need to do so, and handle it afterwards.
Fourth thought: A bruteforce attack against known logins will eventually succeed, but it may also reveal one or more previously used passwords, enabling several methods of pattern-based password analysis to improve the chances of an attacker figuring out the correct password faster and with less attempts then from a blind start.
Posted by Per Thorsheim