101

enter image description here

Suppose that someone stole my password, he/she can easily change it by confirming the old password.

So, I am curious that why do we need that step and what is the purpose of using old password confirmation?

Improve this question
10
  • 3
    Note that for the reasons given in the answers to be effective, this policy (or similar) has to apply to all account controlling features. E.g. changing the account's email address, where a password reset feature is present.
    – Jon Bentley
    Commented Jun 15, 2017 at 17:13
  • 33
    @ronaldtgi I assume you are implying "why do we need that step *if we are already logged in*, is that correct? Otherwise the question seems silly.
    – Aaron
    Commented Jun 15, 2017 at 20:14
  • 7
    Also, it is similar to requiring you to retype your password again when you issue a "sudo" command on a Linux computer. Otherwise I step away for 30 seconds without locking my PC, someone quickly types in "sudo maliciouscommand", and I'm hosed even since that person just used root access even though I was not logged in as root. Or like the Windows UAC prompt that you get when installing something. These are all just extra gateways that offer layers of protection.
    – Aaron
    Commented Jun 15, 2017 at 20:18
  • 13
    "Suppose that someone stole my password, he/she can easily change it by confirming the old password." Indeed, but if the system did not ask fo rthe old password it would become "Suppose that someone did not know my password at all, he/she can easily change it to whatever they want". Does that sound secure to you?
    – oerkelens
    Commented Jun 16, 2017 at 11:08
  • 5
    @oerkelens That second statement is not correct, and overestimates the problem. It should be "Suppose that someone did not know my password at all, he/she can easily change it to whatever they want if they have access to a system where I am already logged in". That may be within acceptable limits of security depending on the context. E.g. I probably don't require my burglar alarm system to ask me for my old code when I want to change it, because there isn't a realistic scenario in which it would matter.
    – Jon Bentley
    Commented Jun 16, 2017 at 15:06

6 Answers 6

Reset to default
358

If you are logged in and I sit down at your computer, I can lock you out of your account and transfer ownership to myself.

Improve this answer
8
  • 2
    Often I see that when a password is changed, an email is sent to the address you registered with (or if it was the email address change, 2 emails are sent to new and old addresses) with a special "revert this change" url to avoid just this kind of takeover.
    – user1306322
    Commented Jun 15, 2017 at 10:48
  • 40
    @user1306322 I admit that I have never seen a 'revert this change' option, just a notice that something has been attempted. Do you know which services offer the 'revert' options?
    – schroeder
    Commented Jun 15, 2017 at 11:00
  • 41
    @schroeder Most "changed password" emails I've seen don't usually include a "revert this change" button outright, but they usually do include instructions on what to do if you weren't the one who initiated the change. Usually those instructions tell you to reset your password via the normal email-based account recovery process, which is probably better than merely reverting the change anyway since whoever changed your password in the first place probably already has your old one.
    – Ajedi32
    Commented Jun 15, 2017 at 13:13
  • 2
    @user1306322 that makes more sense to me and matches my experience
    – schroeder
    Commented Jun 15, 2017 at 14:21
  • 1
    Also: CSRF or XSS vulnerabilities won't be able to trivially take over an account.
    – Prinzhorn
    Commented Jun 20, 2017 at 16:10
147

Two main reasons:

  1. If your session is compromised (e.g. you leave the computer and someone else jumps on, or there is a remote session compromise vulnerability), it prevents another person from changing the password, locking you out of your own account.
  2. If you are enforcing a password change, you can then check that the old and new passwords don't match, without needing to store the old password in a recoverable form - you can check it, then check that the new one isn't the same, even with fully salted password hashes. While you can check exact matches with just the hash, it doesn't allow for checks such as "ensure that the new password isn't the old password with the last digit incremented by one", which are sometimes required by more sensitive applications
Improve this answer
15
  • 9
    Those other sensitive fields (like email) should indeed be protected with the same security mechanism. Not every site takes that level of care, but it is something that should be done.
    – Soron
    Commented Jun 15, 2017 at 10:26
  • 4
    Saved passwords often pre-fill on the login page but are less likely to pre-fill on the password reset page, requiring a user to explicitly know the old password, instead of it just being saved.
    – mlhDev
    Commented Jun 15, 2017 at 12:28
  • 8
    @Matthew You could even do that by taking the new password, decrementing a final digit, and hashing to see if it's the old password, but having old & new could be convenient for some checks.
    – David Conrad
    Commented Jun 15, 2017 at 20:46
  • 1
    Unless you've studied the source code, you don't know whether any extension is spying on you.
    – WGroleau
    Commented Jun 16, 2017 at 19:32
  • 1
    @DavidConrad (1) Checking for hamming distances of 1 or 2 is not significantly slowed down by hashing; and (2) if you don't want people to pick similar passwords, then apparently they're not voluntarily changing it: forcing password changes is not recommended (see NIST recommendation, a Microsoft research from 2008 or something, and common knowledge of what kind of passwords people choose in such events).
    – Luc
    Commented Jun 20, 2017 at 12:14
97

To augment the other answers, I'll add to confirm that the keyboard is working as the user intends.

Caps lock can invert the case, and Num lock can change whether typing e.g. a "4" on the keypad will instead move the cursor left. Some interfaces show a warning, but many don't.

Most OSs have software keyboard layouts. Being able to type your old password correctly is good evidence that you're intent on using the current layout.

I've also had individual keys stop working, which causes frustration as you troubleshoot why you can't login from any other keyboard.

Improve this answer
3
  • 8
    "I've also had individual keys stop working, which causes frustration as you troubleshoot why you can't login from any other keyboard." You mean you set the password from a broken keyboard and then couldn't log in on any other keyboard? :D Wow, that's actually a really interesting scenario.
    – Wildcard
    Commented Jun 20, 2017 at 4:26
  • 2
    @Wildcard I once had a situation in which the lay-out of my keyboard changed between password setup and login afterwards. Imagine troubleshooting these issues in situations where you can't read the password in plaintext. It was a Windows login and my user's keyboard lay-out was different than the OS'
    – BlueCacti
    Commented Jun 21, 2017 at 11:18
  • Steam had (has?) an issue with Big Picture mode and some controllers, where some of the keys shown on the interface don't match what is actually entered when pressing that controller button. So if you set a passcode with a keyboard, you might not be able to enter it on a controller, and vice versa.
    – GalacticCowboy
    Commented Jun 22, 2017 at 11:43
10

I think that confirming the old password doesn't help you secure your account in the case you lost your password. But It does make sense when no one has stolen your password, because it makes sure that you are the only one who can change your password (because only you know your password). For example, no one knows your Facebook password, but you've already logged in Facebook with your account on your cell phone, and then your friend borrows your phone. If he/she wants to change your password, it's impossible without knowing your current password.

Improve this answer
3
  • 1
    Well, they could just reset the password and open your email, but the idea is right.
    – Tim
    Commented Jun 15, 2017 at 16:09
  • 6
    This is a dupe of #1 in this answer above.
    – user125213
    Commented Jun 18, 2017 at 21:20
  • 1
    Unless it's your Skype account and you've lost your password. Then you're just screwed. (You can keep using the Skype account on the devices you're logged in on, but once they go obsolete and unsupported you're forever locked out.) (Skype password reset process is almost impossible to get approved.)
    – Wildcard
    Commented Jun 20, 2017 at 4:25
2

It is to help you keep the account with yourself.

Some Scenarios

  1. Your cookie is stolen by someone via a middleware or by some other methods, then if the site didn't prompted you for old password, they can change the Password and Recovery email and then the account no more belongs to you.

  2. If someone has access to your system which you logged in, they can change the password and then recovery email and then the account no more belongs to you.

Improve this answer
1
  • This is a direct dupe of Matthew's answer 5 days before yours. If you have a unique perspective to provide, then please edit the post to include it. Don't just repeat other answers.
    – schroeder
    Commented Jun 19, 2021 at 15:59
2

Cross-Site Request Forgery (CSRF) protection. This likely isn't the primary reason, but sites that don't otherwise use any CSRF protection but happen to require the old password for password changes have protected at least that one request from CSRF attacks.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .