See also about Facebook storing old passwords here and here.

If an attacker recovers one or more of your passwords from other breaches, it seems like plugging them into Facebook's UI could leak at least a few types of information:

One way to ameliorate this would be to store similar passwords, in addition to the actual passwords.

My users could go and do an self-service auto reset and reuse their passwords over and over again.

There should be additional layers of security as well. For example, if enough Captcha-authorized attempts continue to fail, then they should lock down the account or block that IP.

I looked at the app analytics in Facebook app manager and it showed that there were only 815 story clicks for the stories posted via this app. We also record each referral from Facebook in the database. I initially thought that there could have been some issue while recording which may have led to duplicate entries for a single referral from Facebook.

CERT's advice regarding handling sensitive data in memory is here.

Most of the comments here are pretty good and identify the key issues. However, one point which needs to be considered is that you need to assess these types of questions in context and be very careful regarding generalisations which state that it is either good or bad.

Another way would be to only store part of the hash.

There has been some research which presents the premise that password aging and password history may actually decrease security rather than increase it. The basic assumptions and ideas are

How It Works: Right now, most security experts are pointing to slower hashes as the best option for storing passwords. Hash functions like MD5, SHA-1, and SHA-256 are relatively fast: if you type in a password, it will return the results fairly quickly. In a brute force attack, time is the most important factor. By using a slower hash—like the bcrypt algorithm—brute force attacks take much, much longer, since each password takes more time to compute.

Offline Brute Force is when the database is comprimised and the hashes are stolen. In this case, not only do the latest hashes leak, but the older ones as well, because, as you say, those were not erased.

Where it could be a problem is that it might leak an old password of yours to someone doing opportunistic guesses (for instance someone who partially shoulder surfed you before you changed your password, or someone who knows you and knows you use a very basic password; I can often guess my mother's passwords for instance). If you reuse that password anywhere else, you could be in trouble.

This means that while the whole hashing scheme is to prevent an attacker from gaining access to passwords EVEN IF the server is compromised, a skilled hacker could get at it anyway.

Store the old salt and hash values. Hash the new input with any old salts and see if they match.

There are two types of brute force to consider.

Let's say you have a password 123, someone got hold of it, and then you changed it. Sometime later you realized that you are in need of changing the password again. So, if you enter '123,' the system will not accept and will throw you a message.

The other answers look pretty reasonable, but I wanted to add a few possibilities.

Google, Facebook, Twitter, and several other services still knows the older passwords which we used on our accounts. At times, I can not reuse the same password as I have. Then with Google, if I type an old password by mistake, it tells me when I last changed my password. I think this could be more or less of a security threat over doing any good.

If I have the traditional 3 field password reset (enter current, enter new, confirm new) I could store the current one as I replace the old with the new. However, then I have the case of a forgotten password. My users could go and do an self-service auto reset and reuse their passwords over and over again.

Both of my alternatives do not prevent cyclic changes though (eg super-secure-password -> another-awesome-credential -> super-secure-password), but I'm not sure if I would really be worried about that.

I use a multi page sign up from but when adding <form id="msform" action="" method="post"> it wont register that the submit button have been pressed. I use the same design on my login but instead of it been a multi page its only one page, and everything work there.

I have an application with a user database. The database stores the password using a bcrypt hash with a randomized salt.

Question 2: Why could there be traffic from "http" sources considering that Facebook on browser and facebook on mobile both enforce "https"?

If the new hash is different from the old hash, then everything is okay (according to your criteria), and you can simply re-hash the new password with a new unique salt and store it in the database.

The problem is, the key is often stored on the very same server that the passwords are, so if the servers get hacked, a hacker doesn’t have to do much work to decrypt all the passwords, which means this method is still wildly insecure.

This means that while the whole hashing scheme is to prevent an attacker from gaining access to passwords EVEN IF the server is compromised, a skilled hacker could get at it anyway.

Does Facebook storing old passwords compromise security

Does My Strong Password Matter? In this case, yes. Rainbow tables are made up of passwords that have already been tested against hashes, which means the really weak ones will be cracked very quickly. Their biggest weakness, however, isn’t complexity, but length. You’re better off using a very long password (like XKCD’s famous “correct horse battery staple”) rather than a short, complex one (like kj$fsDl#).

Thinking about how big sites usually have you log in, there seems to be a point in time where company servers have your password in memory in plain text. Is this true, and is it safe?

If the email and hashed password combination doesn’t match, no action is taken. This indicates that the stolen password is different than the password you use for Facebook, so an attacker wouldn’t be able to use that password to tap into Facebook. If the email address and hash combination matches, Facebook will notify the user next time they log in, guiding them through a process to change the password.

You have no idea how useful it is to an user when they are notified that they entered their old password by mistake OR they changed it this time back,etc., It will really help a user who genuinely typed his old password by mistake.

It's a very nice feature for user experience. You might have forgotten you had changed the password, you might also have not logged in for a while or just be tired. Knowing that you haven't typed a typo but that indeed you're looking for a different password helps you re-find your password in less attempts.

Facebook stores old password hashes (along with the old salt), such that if you try to log in with a previous password, Facebook tells you that you updated the password (and when). Nice user experience. Except this site isn't

After having no luck at finding a way to contact Facebook developer support, I have come to Stack Overflow. Here is the problem I'm facing -

If the new hash is the same, then the new password is the same as the old password. Tell your user to choose a new one.

However, there are a lot of records with referrer URLs that are different from the ones I mentioned above. Here is the list

However, the database records show different user agent, different referrer URL and different times of insertion for the records so my speculation of duplicate entries does not hold true.

How can I stop him to keep the same password from the previous history?

Nothing is 100% secure, however, this feature of keeping old-passwords protects you from using the passwords which are known to other unauthorized people.

Account Executive National Magazine Newtown, PA - Bucks Co