Hi Thanks for all the responses. In the end I opted for a separate UserPasswords table, which records all old passwords. When a user changes their password, this table is checked. NB All passwords are stored in SHA256.
Thanks again for your advice. Regards Neil On Wed, Jan 20, 2010 at 12:08 PM, Jørn Dahl-Stamnes <sq...@dahl-stamnes.net>wrote: > On Wednesday 20 January 2010 01:10, Daevid Vincent wrote: > > > -----Original Message----- > > > From: John Meyer [mailto:john.l.me...@gmail.com] > > > Sent: Monday, January 18, 2010 5:04 PM > > > To: co...@obviouslymalicious.com; mysql@lists.mysql.com > > > Subject: Re: Record old passwords ? > > > > > > Although, on an OT, forcing people to not use a password that they > > > have recently used is a bad idea. What they eventually do is go with > > > something like "hometown01" "hometown02", etc. Or worse, they start > > > writing down their passwords which is a whole other security problem. > > > > Amen to that. At my work, they require a password change every month, but > > they store the last 6 passwords you used, so I do exactly what you say -- > I > > have a logbook and store the same 6 passwords in it and just cycle them. > > Other "tricks" I do, is use a pattern on the keyboard and just shift it. > > None of this is secure, and I totally know it (although I'm not picking > > "secret" or something as my PW, it's random letters/numbers/symbols). But > I > > hate the policy and I'm kind of a rebel like that. ;-p > > Several years ago I worked at a place where users had to change their > windows > password every N month and they kept a long history log of used password. > > My solution to this was to write a program that asked me for my current > password and how many previous used password the system remembered. The > program worked like this: > > for (n = 0; no_of_stored_password > n; n++) { > set_password(random_generated_password); > do_a_short_sleep(); > } > set_password(original_password); > > ... and the problem was solved :) > > -- > Jørn Dahl-Stamnes > homepage: http://www.dahl-stamnes.net/dahls/ > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: > http://lists.mysql.com/mysql?unsub=neil.tompk...@googlemail.com > >
