Reputation: 140
Password History - Storage - System Design Preventing Reuse or Similar Passwords
I am currently working on a project where I would like to make sure that users do not reuse their recent passwords; are too similar to their current password (i.e. just tacking a number or symbol such as a '!' to the end of the password.
I have seen websites and applications that have enforced these rules. While I can see how to test for reuse of passwords by keeping a table of the hashes for comparison, how do systems enforce the not being similar test without having to store the passwords in plain text in the database?
Your guidance would be gratefully appreciated.
Upvotes: 1
Views: 38
Answers (1)
Reputation: 3
You would need to kind of brute force it, I think.
Take the inputted password, throw it in a loop that adds adds an extra character at the end, beginning, wherever, and then match it against the stored hash.
To give you an idea, you can look at the John The Ripper single crack mode and custom rules.
Upvotes: 0
Related Questions
- Password hashing, salt and storage of hashed values
- What's the recommended hashing algorithm to use for stored passwords?
- DoD Password Complexity: Users cannot reuse any of their previous X passwords
- How should I ethically approach user password storage for later plaintext retrieval?
- Enforcement of password policy
- How can we securely enforce a rule that requires a new password to be 75% different from the previous one?
- How to programatically get the Enforce Password History group policy setting?
- Why do some websites/applications require that passwords must begin with a letter?
- What is an effective solution to replay attacks on password storage files?
- Password strength check: comparing to previous passwords