this post was submitted on 26 May 2025
567 points (96.4% liked)
Cybersecurity - Memes
2824 readers
1 users here now
Only the hottest memes in Cybersecurity
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It pisses me off that so many companies store a database of X number of your old passwords in the first place. Like, fuck off twerps, I probably still use those old passwords for at least 20 other logins. When your shitty database is compromised I now have to worry about all of them.
The old passwords don't have to be stored in plain text. They can still be hashed and salted.
In theory, yes. But unintentional bugs and security flaws exist (cf sites like have I been pwned), and by storing old passwords next to new ones increases the impact of such bugs and flaws significantly, precisely because folks use the same password for different services. Of course people shouldn't do that, but they do, and as a dev you should be mindful of that.
You're like, so close.
Don't reuse passwords between different services, or after a password reset. You're aware of exactly why that's a bad practice (a compromise of any one of those services, or an old database of those services will expose that password), so why knowingly bear that risk?
Last time I had to implement a feature like that, I stored a substring of the old password's hash. If one User in a million gets a False quotation Mark same Passwort quotation Mark message, I can live with it.
Hey, İ know quotation marks are expensive, but since I like your attitude to keeping your users secure you can have some of mine: " " " " "
You can just paste copy them into your next post.
I would like to donate as well:
" " " " ' ' “ ” « »
I mean, that's true if you reuse your passwords instead of using a password manager that can generate random gibberish... Which is itself a very poor habit exactly because of this very fact?
Even assuming a company follows best practices (a bold assumption that is wholly inconsistent with reality) there's ALWAYS a possibility of a breach - and it's not if, it's only when.
So, everyone should be using a password manager by default.
I like to use keepassXC personally because it's fully under my control. I don't really care for ones that are hosted by 3rd parties because that introduces more risk if they get beached, but for many people that's fine; it's more convenient for the user. To me it's important enough that I manage it all locally.
And an email mask. Life is easier if you can reset a password and change your email after a breach and have the old email disabled and disappear.
Agreed!
The pain with email maskers is when a service doesn't accept the email as valid.... I have 2-3 I use. I start with blur (abine/ironvest, whatever you call it these days) and if it doesn't work I go to my bench warmers.
Right at the top of the list of things not to do with a password.
Someone with your Amazon account might assume you use Facebook, Youtube, Steam, and every bank around your location(they know). There's 2factor, but not everywhere
Password managers are your friend 🙏
My soul cries for you.