If there were a data breach where a hacker could figure out the encryption algorithm, you don’t want users to reuse an older password because those older passwords could’ve already been cracked.
By the way, this is why you should also never use the same password for every site. If one of your passwords is leaked and linked to a similar username or email, everything is vulnerable. I’ve had this happen before (the Target breach). After that I started using SSO exclusively, with a random 16 char password manager if SSO isn’t an option (crossing my fingers that bitwarden doesn’t get hacked like LastPass)
I understand when you are prompted to change, but not when you aren’t. As I mentioned in another comment I remember Epic basically trolling me into resetting my password almost daily at some point
There could be many reasons they don’t prompt you to change: they meant to send an email but your notification preferences disallowed it, they sent an email and you missed it, they wanted to keep it quiet, they forgot to add the message and ux flow to change password, or they’re incompetent and didn’t know they needed to do that.
The Epic thing I’ve never seen before but that’s definitely incompetence and/or a very weird bug that just slipped past them.
Because it runs the hash again on the new password against the old one, if it matches the old one you are told to change it as you used the old password again.
Yes yes but I don’t mean when I’m told to change one. I mean when I’m trying to login as usual, password doesn’t work, so I change it. Just to test of the password I was using was wrong, that’s what I use first- and it’s rejected.
I remember Epic would do this on a DAILY basis at some point last year. It was so irritating. “Ah yes the brand new password from yesterday that worked yesterday but that we didn’t recognise on the login page today? Well we do recognise here on the reset, jokes on you!”
Why does this happen though? I always wondered why is it that a platform recognises your old password only when you are trying to change it
If there were a data breach where a hacker could figure out the encryption algorithm, you don’t want users to reuse an older password because those older passwords could’ve already been cracked.
By the way, this is why you should also never use the same password for every site. If one of your passwords is leaked and linked to a similar username or email, everything is vulnerable. I’ve had this happen before (the Target breach). After that I started using SSO exclusively, with a random 16 char password manager if SSO isn’t an option (crossing my fingers that bitwarden doesn’t get hacked like LastPass)
I understand when you are prompted to change, but not when you aren’t. As I mentioned in another comment I remember Epic basically trolling me into resetting my password almost daily at some point
There could be many reasons they don’t prompt you to change: they meant to send an email but your notification preferences disallowed it, they sent an email and you missed it, they wanted to keep it quiet, they forgot to add the message and ux flow to change password, or they’re incompetent and didn’t know they needed to do that.
The Epic thing I’ve never seen before but that’s definitely incompetence and/or a very weird bug that just slipped past them.
Because it runs the hash again on the new password against the old one, if it matches the old one you are told to change it as you used the old password again.
Yes yes but I don’t mean when I’m told to change one. I mean when I’m trying to login as usual, password doesn’t work, so I change it. Just to test of the password I was using was wrong, that’s what I use first- and it’s rejected.
I remember Epic would do this on a DAILY basis at some point last year. It was so irritating. “Ah yes the brand new password from yesterday that worked yesterday but that we didn’t recognise on the login page today? Well we do recognise here on the reset, jokes on you!”
Microscopic trolls inside the internet tubes. I think that’s the technical term.