The game has started refusing my login because I haven’t changed my password since you updated the blacklist. I think this is a questionable policy—the entire reason those blacklisted passwords are dangerous is that an attacker might use it to discover my password via guess-and-check, which means that ArenaNet should ALSO have been able to discover whether my password is on the list via guess-and-check sometime in the past 4 months (if it’s truly a practical attack), but that’s not why I’m posting.
Since I’m fairly confident that my password is NOT on the blacklist, and I have never used it for anything other than my Guild Wars 2 account, and I’ve already memorized it, I attempted to “change” my password to its current value. This produces the following error message:
“Unavailable password. You or someone else has used it before, or it’s on a known list of passwords stolen from other games or websites. Please use a new, unique password for your Guild Wars 2 account.” (emphasis added)
This concerns me for several reasons:
1) Refusing to let someone re-use a password generally does NOT improve security. Studies have shown that users either work around such restrictions (e.g. by rapidly changing their password to exhaust the buffer and return to the original), or they react to being forced to memorize more passwords by choosing easier-to-remember (and thus, usually less secure) passwords. So I think it is very unlikely that this restriction is doing your users any favors.
2) This message implies that I can find out whether someone else in your system has used a certain password by attempting to change my password to it. If true, then not only are you allowing me to guess the passwords for all your users simultaneously (probably a security weakness), but you must somehow be checking the new password I’ve entered against ALL the other passwords—which ought to be ridiculously expensive (computationally) if you are following good security practices and storing only expensive, uniquely-salted hashes of passwords. Which makes me pretty sure that either this message is inaccurate, or you’re storing the list of passwords “someone has used before” very insecurely.
3) You’re not even going to present different messages depending on whether the password is blacklisted or previously-used? The entire reason the blacklist is dangerous is because the bad guys already have it; if someone is trying to use a password off of that list, it would be courteous (and not meaningfully less secure) to inform them that it’s on the list, so that if they’re using the same password somewhere else (an unfortunate but common occurrence) they will realize that’s a problem and can do something about it.
So: why do password changes work this way?
