Comment by claudex
2 days ago
There are policies to prevent changing the password more than once a day to prevent that. I've encountered it in several places
2 days ago
There are policies to prevent changing the password more than once a day to prevent that. I've encountered it in several places
Fascinating. In other words:
In order to force the user to change their password more frequently (long term), the user is prevented from changing their password too frequently (short term).
I wonder whether the person who added that is actually confident that the benefits outweigh the drawbacks or is that a case of tunnel vision.
There are also systems that keep a history of old passwords just to prevent you from reusing one.
I like the ones that not only keep a history of your old passwords but will reject any password that is similar to any of your 30 previous passwords, which means they're storing either a plaintext or reversibly encrypted list of every password somewhere on the system. Talk about a goldmine for the hacker that dumps that database.
Something like that could probably be implemented by storing multiple hash of some automatically modified version of the password. For example, if your password is "PassWorD" they can additionally store the hash of the lowercase version of the password. So if you change it from "PassWorD" to "paSswOrd", they will see it has the same lowercase hash than the previous one without knowing it.
4 replies →
Ye. If the insane password gatekeeper shenanigans doesn't make you input your old password together with the new, you know they store your passwords.