Is Google exposing our old passwords?

-


Have you ever noticed Google telling you “your password was changed X days ago” when you type your old password?


And how about when you type several old passwords and Google keeps telling you the same message?

That’s the security feature to tell the users on Google Accounts interface they changed their password sometimes ago, when they type an old password. Google keeps telling you this even if you:
1)      changed your password 3 months ago
2)      type all your old passwords (at least mine)
3)      access your account everyday several times a day

The problem here is a brute force attack could expose passwords used by users before. If we consider there is a practice in which users have the same password for different services on the internet (and most of the time they have a pattern to create passwords, changing only one letter or number), the fact that an attacker can guess an password used by somebody by brute forcing the Google Accounts  service could help him to deliver a more targeted attack.
Consider this type of attack on a high profile account.  Password is very personal and sensitive information.
I wrote to Google to talk about this and Google Security Team answered me right away on the next day.
Some snippet from the email:

we do have to balance security with usability and the safety of
our users. If we were to just give a generic error message a user may not
realize that their password was changed by an attacker, this could prolong
the period that an attacker has access to their account. Our hope is that
if a user sees the current error message they will have a better chance of
understanding why their password doesn't work (it was recently changed and
not by them).

Services like Yahoo and Hotmail give a generic error message if you type some of your previous password used. Google also says they have additional security controls against brute force that would mitigate the risk. 

I think it’s a really valid approach to tell users they changed their passwords but it’s possible to do it sending a SMS (yes, not so cheap!) or an email to your alternative email informed on your Google’s account.

And you, what do you think about this? Leave your comments.

Comments

Post a Comment

Popular posts from this blog

The forgotten JBOSS Admin Console and CVE 2010-1871

-
Image
Well, we are in 2013 and It’s amazing how many JBOSS administration interfaces (jmx-console, web-console, invokers etc) are still exposed on the internet, however we are not going to talk about it. A couple of days ago I was performing a penetration testing and I found an environment with JBOSS AS 6. The JMX-Console wasn’t password protected but one console in special attracted my attention: the Admin Console. It seems that this console, I do not know the reason, is kind of forgotten by the security community as an attack vector. The default access credential for this console is admin/admin and it is also built upon a vulnerable version of Seam framework CVE 2010-1871 . This console provides a powerful JBOSS administration allowing a user to check the server’s configuration, to deploy and to delete applications, to read datasources etc. I checked out for the default credential but they were changed. There were other ways to hack this JBOSS but I was quite interes
Read more

A tool to detect Slow HTTP DoS attacks on pcap files

-
Image
Hello everybody, I wrote a python tool to detect Slow HTTP DoS attacks on pcap files: slowdos_detector . This is ideal for post-mortem analysis on captured traffic (pcap files). If you are curious about how to test it, you could leverage slowhttptest  to launch an HTTP DoS attack on your test server, capture the traffic and then use slowdos_detector to show offending HTTP transactions. Enjoy it and ping me if you have questions, issues or suggestions.
Read more