password policy
-
Well, we don't need to re-enter the old password and assuming it does not save it in clear text, how is it comparing the old (encrypted) password to the new (encrypted) one? example: OLD password text: god_123 encryped: &#HDSW NEW password text: god_124 encrypted: )#@^Y@ it should not save the text version and it should not be able to compare the encrypted version, right? [EDIT]We are "logged in" though, (LDAP), but I'm assuming, equally, the password is not saved in memory either...[/EDIT]
V.
(MQOTD rules and previous solutions)
The passwords don't need to be stored plaintext in order to check for similar passwords. The password checker could create several variations of your proposed password, hash them and compare to your previous password hashes. For example, if the last character is a number, all digits [0-9] could be tried at that position.
-
V. wrote:
how is it comparing the old (encrypted) password to the new (encrypted) one?
It decrypts it first, encryption is two-way. So it takes "&#HDSW" from the database as your old password and decrypts it to "god_123". It then compares that to the new password you've entered.
-
I think this could go alongside Godwin's Law - the longer an on-line debate about passwords continues, the probability of someone linking to xkcd 936 approaches certainty. Won't somebody think of the horses (and staples)?
-
So we have a new password policy here at work and one of the rules is you cannot change it into something that is too similar to the previous one. Question: How is that determined since the hashing value should change significantly if you change just one letter ?
V.
(MQOTD rules and previous solutions)
-
In Active Directory, there is a GPO that you can activate to force passwords storage in plain text. I cannot imagine any situation where that would be suitable, though. On the other hand, the security breach concerning passwords must not be observed only through their storage on the servers; humans themselves may represent a non negligeable risk when it comes to password security (writing them down on a sticky note, always following the same pattern, references to family, friends, pets, etc.).
Loneliness and cheeseburgers are a dangerous mix.
I have a little black A6 notebook, one of the ubiquitous ones with hard covers and a red spine, and I am ceasing the practice of using only a few passwords, and setting a new one for each account. Then every new user-password pair is written into that book. My passwords, except on their systems, can only be found in one place, and nowhere online. And if I buy the farm, friends and family can look up needed passwords in that book, without having to subscribe anywhere online, or know any other password. I think that book has one of the highest levels of all password storage security strategies that exist. Oh yes, and I never say them out aloud as I write them, in case someone, somewhere, somehow, is listening in on me.
Follow my adventures with .NET Core at my new blog, Erisia Information Services.