Re: Password previously used ideas?
- From: "C. (http://symcbean.blogspot.com/)" <colin.mckinnon@xxxxxxxxx>
- Date: Wed, 29 Oct 2008 05:23:15 -0700 (PDT)
On 28 Oct, 20:23, Hugh Oxford <ares...@xxxxxxx> wrote:
Hi Folks,
This is more for an intellectual exercise. It's not a difficult problem
but it might be interesting to find out different solutions.
So you have users, and they have passwords, stored in SHA1. You have a
policy which forces users to change their passwords every month or so.
So how to prevent them using two passwords and interchanging them? But
they must be able to reuse a password eventually.
I thought a separate db field to which old passwords are appended with a
separator, such as _. If the total instances of _ exceed 6, whenever a
password is appended, the first one is removed. Then all you do is a
substring search to find out if the new password is in this string, and
reject it if it is.
But is there a neater way?
This has always been one of my pet bug-bears. How does changing
passwords improve security? It makes them harder to remember which
makes users more likely to write them down - or choose something which
is more like a dictionary word. If a password is compromised then
later changed - sure the black hat an no longer get access with the
same credentials - but it doesn't miraculously undo any damage they
have done.
If security is a concern then do 2-factor authentication properly.
C.
.
- References:
- Password previously used ideas?
- From: Hugh Oxford
- Password previously used ideas?
- Prev by Date: Re: _POST is empty if a lot is entered into textarea in form
- Next by Date: Re: Class variable interpolation
- Previous by thread: Re: Password previously used ideas?
- Next by thread: Issue with the casting of a SESSION variable
- Index(es):
Relevant Pages
|
