When I changed my Facebook password yesterday, by mistake I entered the old one and got this:
Am I missing something here or this is a big potencial risk for users.
In my opinion this is a problem BECAUSE it is FaceBook and is used by, well, everyone and the latest statistics show that 76.3% of the users are idiots [source:me], that is more that 3/4!!
All kidding aside:
- Isn't this useful information for an attacker?
- It reveals private information about the user!
- It could help the attacker gain access to another site in which the user used the same password
- Granted, you should't use use the same password twice (but remember: 76.3%!!!)
- Doesn't this simply increase the surface area for attackers?
- It increases the chances of getting useful information at least.
- In a site like Facebook 1st choice for hackers and (bad) people interested in valued personal information shouldn't anything increasing the chance of a vulnerability be removed?
Am I missing something? Am I being paranoid? Will 76.3% of the accounts will be hacked after this post?
Best Answer
I think the security risk is minor.
However, I'd feel a lot better if they removed the text that tells you you have tried an old password, and just showed this message every time you entered an invalid password after changing your password recently.
I think that would give you the best of both worlds - it lets you know that your password has been changed recently, and where from, and alerts you to the fact that you MAY be trying to use an old password. It doesn't give away one of your (albeit old) passwords to potential attackers