Last year I promised myself to pull a prank on a small section of users for one of my web apps. My intention was to stop them from setting or changing their password until their fourth attempt. With every try, they were supposed to get an error message ‘Your password has already been used, please choose another’;
I know it is a crazy scheme, one that can totally backfire but the prank was to be pulled on a selected group of users (mostly friends).
Due to many reasons the biggest being procrastination, I haven’t pulled it off even as I write this.
A few days ago I was shocked to find this very error message on a web application when I was changing my password.
I was shocked and disappointed at the same time. Disappointed that someone had beaten me to it (prank) and shocked that what I thought was unfeasible is actually real and very possible.
I have tried to think of a reason why the app developers would want to crosscheck inputted passwords against existing ones and can only come up with one, an annoying password policy!
Some systems have stringent password policies, and I am not talking about password strength but more complex things like password duration, password reuse and some more. For example the Microsoft exchange email server can be configured to:
- Determine how long passwords can be kept before they need to be changed
- Determine how long users must keep a password before they can change it
- Enforce a password history(determine how frequently old passwords can be reused)
- Enforce a minimum password length
- Enforce a complexity requirement (strong passwords)
Honestly for an ‘ordinary’ web app, 4 and 5 should be sufficient, anything more is asking too much from users.
I sure hope that the reason I was asked to use another password on that website is because they have a password history policy, anything else is cause for alarm.
Am I still going to carry out my prank? Sure.
Like my post? Please support me by clicking on the Mersi button