Re: Password previously used ideas?
- From: Geoff Muldoon <geoff.muldoon@xxxxxxxxxxxxxx>
- Date: Wed, 29 Oct 2008 08:46:08 +1100
Hugh Oxford says...
So you have users, and they have passwords, stored in SHA1. You have a
policy which forces users to change their passwords every month or so.
So how to prevent them using two passwords and interchanging them? But
they must be able to reuse a password eventually.
I thought a separate db field to which old passwords are appended with a
separator, such as _. If the total instances of _ exceed 6, whenever a
password is appended, the first one is removed. Then all you do is a
substring search to find out if the new password is in this string, and
reject it if it is.
Is the underscore character invalid in your passwords? If not you're in
trouble.
Use a separate table for used passwords, with columns of user, password
and date. On an insert check for the number of entries for a user and
delete the oldest dated one when the count reaches your threshold. Would
also be a much more efficient check for reuse matches.
Geoff M
.
- Follow-Ups:
- Re: Password previously used ideas?
- From: Hugh Oxford
- Re: Password previously used ideas?
- References:
- Password previously used ideas?
- From: Hugh Oxford
- Password previously used ideas?
- Prev by Date: Password previously used ideas?
- Next by Date: Re: Best development platform? Mac, Windows or Linux?
- Previous by thread: Password previously used ideas?
- Next by thread: Re: Password previously used ideas?
- Index(es):
Relevant Pages
|
