On Mon, 3 Jul 2006, STeve Andre' wrote:
> On Monday 03 July 2006 17:37, Jeff Simmons wrote:
>
> I can't resist pointing out that this is an AWFUL policy. You will be
> remembering peoples passwords, a history of them, which are
> very likely to be used on other systems. Thats really bad. I wonder
> (at least in the USA) what would happen to your company if that
> data was ever stolen?
>
> --STeve Andre'
>
Ahhh, .. that's what hash's are for; easily recreatable given duplicate
input strings, but creating the input string FROM the hash is just about
impossible [lacking near infinate resources].
Storing hashes in a DB is just fine - that's how passwords are encrypted
in any case. Comparing the current to any others in the past 90 days
would work swinningly for a secure audit train.
Lee
