Josh Yeager
Reputation: 3793
How can we securely enforce a rule that requires a new password to be 75% different from the previous one?
We have a customer that wants us to enforce a rule that when a user changes their password it is at least 75% different from the previous password.
Right now our passwords are stored with one-way hashes. We don't want to change that, because it would weaken our password security.
But if we can't get the original password, how can we determine whether the new one is 75% different?
Upvotes: 1
Views: 58
Answers (1)
Neil McGuigan
Reputation: 48287
Ask for the old password when changing the password (you should probably be doing this anyways). Now you have the old password in server memory
Upvotes: 1
Related Questions
- Where do you store your salt strings?
- Disable browser 'Save Password' functionality
- Unit testing with Spring Security
- How to send password securely over HTTP?
- Best Practices: Salting & peppering passwords?
- How should I ethically approach user password storage for later plaintext retrieval?
- How can Active Directory compare a users previous passwords when setting a new one?
- How to programatically get the Enforce Password History group policy setting?
- Do similar passwords have similar hashes?