How does the system know when a password contains parts of a previous password?

Question

Probably a super basic question. I know many online services hash and salt passwords instead of storing them as plaintext for security purposes. My university's web portal requires students to change their passwords every 6 months. From what I know, the system is built on Oracle software.

My question is, however, how does the system know when my 20 character long password (with capitals, numbers, and symbols) contains 3 characters in the same order as the new password I'm trying to set? If the passwords are hashed, shouldn't the algorithm be one-way? Or is it possible that system encrypts the plaintext passwords and stores them? Wouldn't that be less secure?

Sorry if the question is hard to understand. Let me know if you need me to clarify. Thanks in advance!

Answer 1

If you have to enter your previous password when creating a new one, the system can compare them directly. This could even be done client-side.

EDIT

There are only a few other possibilities

• They store your password in plaintext (in which case they should fire their entire IT department)
• Their encryption method is two-way i.e. it can be decrypted (in which case they should fire their entire IT department)
• They temporarily store your password when you log in. Maybe in a cookie or on the server. (In which case they should fire their entire IT department)

Answer 2

The system can only check if the new password matches the old password exactly (compares the hashes). If it's checking substring matches, the passwords are likely being stored in plaintext.

No bueno.

EDIT: Or what Nick said, of course.

Answer 3

It is likely that the prevoius password table is encrypted (possibly using rot26).