Company can tell if new and old passwords are too similar. Is there a security problem?

Usually, when users change their password on a system, they're required to input their old password as well, along with the new password.

Now, this old password is hashed and checked against the hash stored in the machine(password is not stored in cleartext). If the hashes match, then the system proceeds to compare the old password and new password. If it finds that the 2 passwords are too similar, then it throws an error, informing the user about the same.

In case the passwords are sufficiently different according to the system logic, then the new password is hashed and this new hash value is stored in the system, hence successfully changing the user's password.

In case the users are NOT required to input their old password, I'd recommend you better check with your IT support team, and raise a concern with the system owner...

UPDATE: As pointed out in the comments, there's one more way to get around this issue without asking for user's old password. When the user enters the new password, the system generates the variations of the new password entered, hashes each one of them, and compares each hash against the old password's hash. If any of the hash matches, it throws an error. Else, it successfully changes the password.


This a common requirement. The rationale is that you have to change regurlarly your password in case it would have been compromised without you notice it (someone looking over your shoulder, etc.).

If the new password is too similar to the old one, an attacker could first try slight variation over the old one (I assume he was able to steal it beforehand). In your example, you only change the last numeric character : 10 tries maximum.

But this is not normally implemented by storing the old password in clear text! Everyone now knows that it is bad. Simply the change password forms requires the old password and the new one (repeated twice). That way:

  • the old password is controlled to make sure you did not leave your workstation still connected and someone is tricking you
  • the new password can be compared to the old one and will be rejected if it is too similar
  • the new password is entered twice to limit the risk of a typo

And only a hash of the password is stored...

Tags:

Passwords

Recent Posts