You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the password history is also saved if the "password history" seting is disabled. This means a lot of old passwords are saved in the database, without an advantage (as new passwords aren't checked against them anyway).
In case the database is leaked to an attacker, they gain the hashes of a lot more old passwords. This puts users in danger, who e.g. changed their old passwords to new policy-compliant passwords because of our app, but still use their old insecure passwords on other platforms. If an attacker cracks the hash, the attacker can then retry these passwords with their other accounts.
With the small improvement of not storing old passwords or even dropping the table if the setting is disabled, less old passwords could be leaked.
The text was updated successfully, but these errors were encountered:
Currently the password history is also saved if the "password history" seting is disabled. This means a lot of old passwords are saved in the database, without an advantage (as new passwords aren't checked against them anyway).
In case the database is leaked to an attacker, they gain the hashes of a lot more old passwords. This puts users in danger, who e.g. changed their old passwords to new policy-compliant passwords because of our app, but still use their old insecure passwords on other platforms. If an attacker cracks the hash, the attacker can then retry these passwords with their other accounts.
With the small improvement of not storing old passwords or even dropping the table if the setting is disabled, less old passwords could be leaked.
The text was updated successfully, but these errors were encountered: