Passwords, passphrases, information leakage and suggestions for improvements

Recently I suffered from a fault in the ‘Palemoon’ browser which meant that I needed to reset my password on the GCA site.

From my account preferences page, I asked the site to send me a password reset link.

When I used the link, I chose to use the existing password.

The form does not echo the password on the screen (although it does echo one character for each character in the password, which itself is enough to tell anyone how many characters are in the password) but of course I know what I’ve typed - as would anyone else using the form. If I were coding the page I would take steps to make it difficult to know the length of the password from what’s echoed on the screen - thus leaking less information to a potential attacker.

Having typed the password, the form refused to accept it and gave a message saying that it was the same as the existing password.

That seems a trifle dangerous to me. In any case I’m not convinced that replacing a password with itself is inherently dangerous, but if I’d coded it, and Management insisted on the restriction, I’d rather have it simply say that the password was not acceptable without saying why - again leaking less information.

I tried again, choosing the password 1234567890. The site told me the password “looks good”. How many of us would agree with that? How many have chosen that exact password on this site, or some other site, or both?

In general I’d eliminate the word ‘password’ from the entire site, replacing it with ‘passphrase’, and I’d insist on something which looks like a passphrase - not just a single word - unless it’s a really good single word which doesn’t even resemble a single word.

Thank you Ged for bringing this to our attention. We will look in to it.

Hi Ged,

Thanks for getting in touch. We take security very seriously throughout our organization, so I appreciate the time you’ve taken to voice your concerns regarding our password policies on the community forum.

I’m sorry to hear that your password was previously compromised due to a fault within the browser you were using at the time. I’ve just personally walked through the password recovery process to ensure that all of these details match up.

I would suggest enforcing 2FA (2 factor authentication) on your profile to start with, as this is one of the greatest measures you can take to secure your account. When walking through the password reset/recovery process, there is no representation of the existing password, especially as all passwords are salted and hashed in the backend, meaning there’s no feasible way for the forum to present that information to the end user.

It also isn’t possible for a user to set “1234567890” as their password, The community forum prevents users from setting up a password that is found within the 10,000 most commonly used passwords. I have tested this myself, and while the site does indeed initially display “looks good”, this is purely based on a length check. Attempting to submit the password results in an error, as you would expect.

Regarding the “same as existing password” message your received when trying to use the same password as before, I would disagree with saying that this is not inherently dangerous. If the user already knows the password, then the account is already compromised. I would also like to insist that replacing a potentially-compromised password with the same password is in fact dangerous, and renders the whole process of changing the password pointless.

Additionally, changing the term “password” to “passphrase” throughout the site wouldn’t make a difference, especially considering that the two terms are often used synonymously.

Thank you again for taking the time to voice your opinions to us, we value your feedback.