ASP.Net application security design (remember previous passwords)

Question

I am working on an asp.net application where one of the security requirements is that the application must enfore "password history" - (remember previous 8 passwords).

I would like to know if someone has an experience designing a table (using SQL 2008) for this purpose. So far, I am thinking of just having one table, and one field per previous password and one field for the date of the password.

Any other suggestions / best practices?

Answer 1

Remember to implement a rate limit on the password changes. My experience suggest that users will find out if there is none and will change password 9 times in a row to end up with the old one if you leave that chance...

Other best practices really depend on how secure you want the system to be. One thing I've seen doing, for instance, is trying a 10 seconds bruteforcing using the new password as a seed (for existing tools) or with basic iteration. i.e. if you see a password in the form of foobar5, try to see if foobar1/2/3/4 match any of the old hashes.

Answer 2

I would create a password history table just for storing the old passwords, salted and hashed of course. This is a classic one to many relationship, having 8 fields for 8 different old passwords seems brittle.

You can store the date of each historical password with it in the password history table for aging out when they have changed the password more than 8 times.

Answer 3

Your suggestion sounds fine, but I would recommend storing salted hashes of the password instead. You'd either need to keep the salt constant per user and store it on the user table, or store it with the previous password entry if you want to refresh the salt each time the password is changed. The first option makes for the simplest database query to check previous passwords - the latter you'll have to do each comparison individually.