Unlimited history password

Thanks for the feedback ;D @planedrop

1 Like

Hello All,

A larger password history would be useful if someone were to update/generate a new password field X times which cleared out the old password.

Though unlikely it could still be useful. I think rather than it being unlimited for everyone, making this available as a policy and allowing the admin to set the limit would be better. Alternatively, making it so you can pull the data via an individualized password history ‘audit’ report or something.

2 Likes

Someone could merge all posts about unlimited history here. is an idea, whoever is interested, it would be a good idea. ;D

I can’t tell you how many times I’ve been afraid of loosing my current password when I use the password generator to update an account’s password, but the site keeps rejecting the newly generated password (without listing password requirements or indicating what I’m doing wrong - too many characters, unacceptable special characters, etc.)

2 Likes

I suggest merging this into Unlimited history password, which has more votes.

Not commenting on keeping password history as a matter of personal preference but on this:

Well, I hope I never get to deal with any of those places. I believe I have avoided them so far.

By that account, “strict security” means a person can break into an account or falsely identify themselves by using any password you ever used there. Multiple possible entry points, unlimited time, weakest point can be attacked. Most people’s older passwords are weaker than their newer ones, unsurprisingly. Gives a whole new payoff to harvesting.

As a personal option I have no difficulty with the proposal, so long as no significant commercial entity decides such “strict security” is a good idea on their side. :slight_smile:

Here is my scenario:

Security server remembers last 12 passwords and won’t allow you to reuse any of those.
Password expiration is set to 7 days.
Minimum time to reset is set to 1 day.

Since BW only remembers 5 passwords, I could accidentally try one of the disallowed passwords.

Don’t know that unlimited is viable (storage costs) but as stated in other posts, other password managers keep a history much deeper than 5 (LastPass kept 30+ I think).

@capnmark Welcome to the forum!

As long as your passwords are randomly generated, the probability that you generate the same password twice is vanishingly small. For example, even if your password contains only 8 random alphanumeric characters, the probability of reproducing one of your 12 most recent passwords would be around 0.00000000001%.

Fortunately or not, this is a password I need to type. Looking up the password every time I need to type it in is too inconvenient. So I use the "old recommendation of 8 characters with some of the letters replaced. Terrible security but at it is only used on a server that is not connected to the internet.

If you don’t care too much about security, you could just use a single random passphrase word, which would give you a 1% probability of repeating one of the previous 12 passwords. The probability would drop to 0.1% if you include a random numerical digit at the end of the word.

I would also suggest that you recommend to your IT department that they review Section 10.2.1 and Section 5.1.1.2 of NIST’s current guidelines for memorized passwords (NIST Special Publication 800-63B: Digital Identity Guidelines —
Authentication and Lifecycle Management
), which clearly specify: