On 1/18/2010 5:52 PM, Colin Streicher wrote:
On January 18, 2010 01:34:15 pm Tompkins Neil wrote:
Hi
I'm in the process of designing a login system to a secure web page using
MySQL. One of the features is we need to record and ensure that the user
password is different from any of the last four passwords he/she has used.
I was thinking of create four fields called Password1, Password2,
Password3 and Password4 to record the old passwords.
Is this a preferred method - or does anyone else have any recommendations ?
Thanks,
Neil
I'm not an awesome database designer, most of what I do is code related stuff,
I think what I would do for this is 1. hash the password( sha256/512 whatever)
and then 2. store the hash in a string with delimiters. In that way, you solve
2 problems.
You can store as many as you want to because you can just check hashes to make
sure it isn't the same, and second, you aren't storing passwords in plain-
text, which is a personal pet peeve.
Almost always, when you start thinking of fields with numbers at the end
of their names, you should move that off to another table. Example:
PASSWORD_HISTORY
PW_ID
USER_ID <--foreign key linking to the user table
PW_ENTRY
PW_ENTRYDATE
That way all you have to do is write this query:
SELECT * FROM PASSWORD_HISTORY WHERE USER_ID='entry' ORDER BY
PW_ENTRYDATE DESC LIMIT 4;
Although, on an OT, forcing people to not use a password that they have
recently used is a bad idea. What they eventually do is go with
something like "hometown01" "hometown02", etc. Or worse, they start
writing down their passwords which is a whole other security problem.
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
