By Dave Michmerhuizen – Research Scientist, Jason Ding – Research Scientist
Researcher Mike Van Pelt at Barrracuda Labs recently brought this issue to our attention.
If you change your Facebook password and then later try to log in using that password, Facebook will tell you that you've used an old password rather than simply telling you that the password is incorrect.
Contrast this message with the response that displays when an incorrect password is supplied.
The login for Google services exhibits the same sort of behavior, although the terminology is different. Google tells you how long it has been since the old password was valid.
Their response when an incorrect password is supplied is different and merely says that the password is incorrect.
This sort of differing response is a form of Information Exposure, something that hackers use to gain intelligence when targeting specific systems or users. The best practice is to not give a potential attacker any information at all. Depending on how the owner of the account chooses passwords, letting an attacker know that an attempted password was valid in the past, and when it was changed, might reveal something about how the owner of the account chooses passwords.
What is worse – and more likely – people using modern cloud services often rely on ‘a fixed set of a few passwords for all of their online accounts. Attackers know this, and when a large-scale password breach occurs they the test decoded passwords against all of the popular services hoping to find a match.
While it is tempting to dismiss these cases because “it's just an old password,” what Facebook and Google are doing here is effectively saying “That would have worked! Try Linkedin!”