I noticed that some web sites does not allow for the same password to be repeated by a user. I request your kind observation and insights into the following in this regard.
1. Do you really think that this is a security feature or this is a security hazard?
In my opinion, it is a feature as it is programmed in this web-site. The question is whether it is desirable. To meet this, the web-site must be keeping record of all the passwords set by all the users during the period of their usage of the web-site. I believe that this database would be maintained securely. However, if this database was broken into, then the hacker would have access to all the passwords set by the users. If the hackers study the password patterns of each user, they could be getting useful insight into the password setting pattern of the users and later exploit it to gain access to get other vital information of the users. If this be considered a decent possibility, then is this strategy not a security hazard for the users?
2. I would be interested to understand the logic behind programming this feature. What does the organisation and/or the webmaster really gain by not allowing users to reuse a password? If the database only stores the latest password and does not store the historical passwords, do you not think that the chances of breaking the encryption rules is made more difficult? Would you agree that the chances of the encryption rule being compromised is increased by storing the history of passwords and thus providing a wider sample set for study for cracking the encryption rule?
I believe that to be able to cut possibility of breaking a password when it is reused would be reduced if the encryption logic uses a key that varies with time (and now place could also be considered – physical location and/or logical location (IP Address of usage)).
Would appreciate your thoughts. What are the latest encryption standards?
Experiences of Partha Majumdar 