|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Tompkins Neil (neil.tompkins
googlemail.com)
Date: Fri Jan 22 2010 - 12:22:40 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi
Thanks for all the responses. In the end I opted for
a separate UserPasswords table, which records all old passwords. When a
user changes their password, this table is checked. NB All passwords are
stored in SHA256.
Thanks again for your advice.
Regards
Neil
On Wed, Jan 20, 2010 at 12:08 PM, Jørn Dahl-Stamnes
<sql06dahl-stamnes.net>wrote:
> On Wednesday 20 January 2010 01:10, Daevid Vincent wrote:
> > > -----Original Message-----
> > > From: John Meyer [mailto:john.l.meyergmail.com]
> > > Sent: Monday, January 18, 2010 5:04 PM
> > > To: colinobviouslymalicious.com; mysqllists.mysql.com
> > > Subject: Re: Record old passwords ?
> > >
> > > Although, on an OT, forcing people to not use a password that they
> > > have recently used is a bad idea. What they eventually do is go with
> > > something like "hometown01" "hometown02", etc. Or worse, they start
> > > writing down their passwords which is a whole other security problem.
> >
> > Amen to that. At my work, they require a password change every month, but
> > they store the last 6 passwords you used, so I do exactly what you say --
> I
> > have a logbook and store the same 6 passwords in it and just cycle them.
> > Other "tricks" I do, is use a pattern on the keyboard and just shift it.
> > None of this is secure, and I totally know it (although I'm not picking
> > "secret" or something as my PW, it's random letters/numbers/symbols). But
> I
> > hate the policy and I'm kind of a rebel like that. ;-p
>
> Several years ago I worked at a place where users had to change their
> windows
> password every N month and they kept a long history log of used password.
>
> My solution to this was to write a program that asked me for my current
> password and how many previous used password the system remembered. The
> program worked like this:
>
> for (n = 0; no_of_stored_password > n; n++) {
> set_password(random_generated_password);
> do_a_short_sleep();
> }
> set_password(original_password);
>
> ... and the problem was solved :)
>
> --
> Jørn Dahl-Stamnes
> homepage: http://www.dahl-stamnes.net/dahls/
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:
> http://lists.mysql.com/mysql?unsub=neil.tompkinsgooglemail.com
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]