Timeline for How to implement a safe password history
Current License: CC BY-SA 3.0
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 7, 2023 at 17:35 | vote | accept | Wizard79 | ||
| Nov 27, 2012 at 16:56 | comment | added | Nathan Long |
Yes. If their current password is potatoSalad1 and they want to update to potatoSalad2, you tell the change is too small because you have both plain text passwords at that moment. But further back than that, you have only hashes, and the nature of hashes is that you can't tell whether two hashes had similar or completely different plain text as input.
|
|
| Nov 27, 2012 at 16:06 | comment | added | Brian | @Lorenzo: The idea is that you do a direct test against the n previous passwords and a stronger test against the last password. It's a compromise. | |
| Nov 27, 2012 at 16:03 | comment | added | Wizard79 | Well this is certainly a clever workaround if you don't have a requirement of testing against n previous passwords, however the suggestion of generating the alternatives just in time is better. But generating alternatives of both passwords is even better! | |
| Nov 27, 2012 at 15:47 | history | answered | Brian | CC BY-SA 3.0 |