Why do some sites prevent users from reusing their old passwords?
The first question is: why do some services require passwords to be periodically changed. The answer is "Risk Mitigation".
Corporate governance requires IT security policies to be defined in accordance to a risk management plan. One of the question that risk management plans ask is how can one mitigate a risk if it occurs. In the context of passwords, the question is how can we limit the damage of a password leak.
If the system administrator is aware of the leak then users can be notified and other steps can be taken. To reduce the damage cause by a password leak of which the administrator is not aware, the lifetime of passwords is limited so that any leaked password can be used only for a short period of time.
So services require periodic changing of passwords. The problem is that users really don't like changing their passwords. So what users used to do when forced to change their password was to change it twice - once to some temporary password and then a second time back to the original password. This of course nullifies the purpose of the policy to require passwords to be changed.
So the next thing administrators did was store the last two passwords and check that the new password is different than the previous two passwords. The wily users countered that by changing the password three times - two temporary passwords and back to the original password.
You might think that users wouldn't go to all that trouble just in order to not change passwords, but this is what actually happened. A administrator friend of mine once compared the hashed passwords in his system after a year and found that almost all passwords were the same - despite the fact that that password policy forced users to change passwords every three months.
So the administrators started storing the last 10 passwords. And the users countered by using a fixed password plus a single changing digit at the end for a cycle of 10 passwords. And thus we've reached the situation today where many systems store all previous passwords.
Having said all that, the real value of these policies is dubious. Human beings have a limited capacity for remembering passwords and if it's wasted on remembering these rapidly changing passwords it can't be used to keep different passwords on different sites (which is much more important).
Because bureaucrats love to be bureaucratic. They think they are adding value by imposing all of these restrictions. In reality, not so much. It's not clear that there is any value to requiring people to change passwords or prevent reuse of old passwords on a routine basis. But what can you do?
These policies are often imposed by non-technical people, who are not used to thinking through a careful risk analysis in a logical, systematic way. If it feels right, then they go with it. And I can understand why imposing this kind of requirements feels like a good thing: it feels like you're "doing something". And surely doing something has to be better than nothing, right? Or so the thinking goes, anyway. (The thinking is probably wrong, but never mind that.)
Alternatively, sometimes there are external compliance requirements that may force system administrators to impose these kinds of requirements. Those compliance requirements may not actually be useful or sensible, but if they exist, there is no choice: you have to comply.
I'd like to point you to a fantastic research paper on this topic:
- Where Do Security Policies Come From?, Dinei Florencio and Cormac Herley, SOUPS 2010 (recipient of best paper award).
The paper examines 75 different web sites, ranging across a wide variety of audiences and security requirements: from online financial sites, government sites, educational sites, commerce and entertainment, and so on. It surveys their password requirements.
It has some surprising findings. For instance, the degree of security sensitivity, the value of the resources protected, and the number of users don't tend to correlate with the strictness of the site's password requirements. As the paper says, "Some of the largest, highest value and most attacked sites on the Internet such as Paypal, Amazon and Fidelity Investments allow relatively weak passwords." Even sites that have a lot to lose from security breaches often have weak security requirements.
Why is that? This might seem a bit of a puzzle.
The paper starts to provide some hints when it observes that government and educational sites tend to have strict password requirements, but sites that accept advertising or gain more revenue per user tend to have laxer security requirements.
The paper finally draws the following conclusion: for educational and government sites, their users have no choice. Their users cannot defect to a competitor site. Therefore, those kinds of sites can get away with unnecessarily strict password requirements; they have no incentive to improve usability. In contrast, the commercial sites where users have a choice have done their own risk tradeoff and decided that the usability loss of strict password requirements outweighs any modest security benefit from strict password requirements. Indeed, even those commercial sites that potentially have a lot to lose from security breaches -- e.g., online banking and financial sites -- often have relatively weak password requirements. If you assume those sites know what they're doing and have done the cost-benefit analysis, this suggests that the security benefits from strict password requirements are outweighed by the usability costs.
It's a great paper. You should read it.
By the way, I know the paper talks about strength requirements, as opposed to password-change policies or password-reuse policies, but the same conclusions apply equally (actually, with even more strength) to the latter. Password strength requirements quite plausibly do have some security benefit. In contrast, it's not clear whether there is any rational risk model that implies any benefit for policies that mandate password changes (and prevent reuse of old passwords). This suggests to me that strict password-change policies and password-reuse probably don't make sense.
It is not bad to leave passwords live long.
However, some people consider that password renewal is important and improves security. In all honesty, I am a bit at a loss when it comes to understanding what kind of reasoning goes in that assertion; at best, forcing regular password changes may have benefits if we consider that some passwords have already been stolen -- changing all passwords would be like superficial cleaning, a way to make a rotten situation more tolerable.
Nevertheless, if a system administrator wants users to change their passwords, then forbidding password reuse is quite logical: if users reuse old passwords, then they are not really changing their passwords. Whatever benefits could be obtained from password change, would be canceled by old password reuse.