Re: Password previously used ideas?
- From: Rob <ratkinson@xxxxxxxxxxxxx>
- Date: Wed, 29 Oct 2008 02:02:43 -0700 (PDT)
On Oct 28, 11:47 pm, Iván Sánchez Ortega <ivansanchez-...@rroba-
escomposlinux.-.punto.-.org> wrote:
Hugh Oxford wrote:
Use a separate table for used passwords, [...]
Of course I _could_ do this but I was looking for a way to avoid it.
Why?
I don't need to know what the old passwords were, I just need to know
that they aren't reusing them.
Of course you need to know what the old passwords were! How could you tell
if a password was used recently if you didn't keep that information?!
OTOH, if you don't want to keep the *cleartext* passwords in your DB for
security and/or privacy concerns, just hash the used passwords.
--
----------------------------------
Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-
Your supervisor is thinking about you.
Agree with Ivan, separate table with username, hashed password and
date.
Would make one change though. Rather than deleting the older entries,
I'd simply do a SELECT * FROM 'oldpasswords' WHERE user = x AND
password = y and created_date > z.
You can then write a weekly/monthly script the clears out the old
passwords periodically.
Rob.
.
- References:
- Password previously used ideas?
- From: Hugh Oxford
- Re: Password previously used ideas?
- From: Geoff Muldoon
- Re: Password previously used ideas?
- From: Hugh Oxford
- Password previously used ideas?
- Prev by Date: Re: Best development platform? Mac, Windows or Linux?
- Next by Date: Issue with the casting of a SESSION variable
- Previous by thread: Re: Password previously used ideas?
- Next by thread: Re: Password previously used ideas?
- Index(es):
Relevant Pages
|
