Hi Folks,
This is more for an intellectual exercise. It's not a difficult problem
but it might be interesting to find out different solutions.
So you have users, and they have passwords, stored in SHA1. You have a
policy which forces users to change their passwords every month or so.
So how to prevent them using two passwords and interchanging them? But
they must be able to reuse a password eventually.
I thought a separate db field to which old passwords are appended with a
separator, such as _. If the total instances of _ exceed 6, whenever a
password is appended, the first one is removed. Then all you do is a
substring search to find out if the new password is in this string, and
reject it if it is.
But is there a neater way?
9  2311 
Hugh Oxford wrote:
So how to prevent them using two passwords and interchanging them? But
they must be able to reuse a password eventually.
I thought a separate db field to which old passwords are appended with a
separator, such as _.
Bad idea, for several reasons. Use a separate table for that. On a side
note, learn about the normal forms of databases.
Cheers,
--
----------------------------------
Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-
Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
Hugh Oxford says...
So you have users, and they have passwords, stored in SHA1. You have a
policy which forces users to change their passwords every month or so.
So how to prevent them using two passwords and interchanging them? But
they must be able to reuse a password eventually.
I thought a separate db field to which old passwords are appended with a
separator, such as _. If the total instances of _ exceed 6, whenever a
password is appended, the first one is removed. Then all you do is a
substring search to find out if the new password is in this string, and
reject it if it is.
Is the underscore character invalid in your passwords? If not you're in
trouble.
Use a separate table for used passwords, with columns of user, password
and date. On an insert check for the number of entries for a user and
delete the oldest dated one when the count reaches your threshold. Would
also be a much more efficient check for reuse matches.
Geoff M
Geoff Muldoon wrote:
Hugh Oxford says...
Use a separate table for used passwords, with columns of user, password
and date. On an insert check for the number of entries for a user and
delete the oldest dated one when the count reaches your threshold. Would
also be a much more efficient check for reuse matches.
Geoff M
Of course I _could_ do this but I was looking for a way to avoid it. I
don't need to know what the old passwords were, I just need to know that
they aren't reusing them.
Does sha1 encode using underscores? I don't think so.
Hugh Oxford wrote:
>Use a separate table for used passwords, [...]
Of course I _could_ do this but I was looking for a way to avoid it.
Why?
I don't need to know what the old passwords were, I just need to know
that they aren't reusing them.
Of course you need to know what the old passwords were! How could you tell
if a password was used recently if you didn't keep that information?!
OTOH, if you don't want to keep the *cleartext* passwords in your DB for
security and/or privacy concerns, just hash the used passwords.
--
----------------------------------
Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-
Your supervisor is thinking about you.
On Oct 28, 11:47*pm, Iván Sánchez Ortega <ivansanchez-...@rroba-
escomposlinux.-.punto.-.orgwrote:
Hugh Oxford wrote:
Use a separate table for used passwords, [...]
Of course I _could_ do this but I was looking for a way to avoid it.
Why?
I don't need to know what the old passwords were, I just need to know
that they aren't reusing them.
Of course you need to know what the old passwords were! How could you tell
if a password was used recently if you didn't keep that information?!
OTOH, if you don't want to keep the *cleartext* passwords in your DB for
security and/or privacy concerns, just hash the used passwords.
--
----------------------------------
Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-
Your supervisor is thinking about you.
Agree with Ivan, separate table with username, hashed password and
date.
Would make one change though. Rather than deleting the older entries,
I'd simply do a SELECT * FROM 'oldpasswords' WHERE user = x AND
password = y and created_date z.
You can then write a weekly/monthly script the clears out the old
passwords periodically.
Rob.
On 28 Oct, 20:23, Hugh Oxford <ares...@fas.comwrote:
Hi Folks,
This is more for an intellectual exercise. It's not a difficult problem
but it might be interesting to find out different solutions.
So you have users, and they have passwords, stored in SHA1. You have a
policy which forces users to change their passwords every month or so.
So how to prevent them using two passwords and interchanging them? But
they must be able to reuse a password eventually.
I thought a separate db field to which old passwords are appended with a
separator, such as _. If the total instances of _ exceed 6, whenever a
password is appended, the first one is removed. Then all you do is a
substring search to find out if the new password is in this string, and
reject it if it is.
But is there a neater way?
This has always been one of my pet bug-bears. How does changing
passwords improve security? It makes them harder to remember which
makes users more likely to write them down - or choose something which
is more like a dictionary word. If a password is compromised then
later changed - sure the black hat an no longer get access with the
same credentials - but it doesn't miraculously undo any damage they
have done.
If security is a concern then do 2-factor authentication properly.
C.
"Hugh Oxford" <ar*****@fas.comschreef in bericht
news:49**********************@news.zen.co.uk...
Hi Folks,
This is more for an intellectual exercise. It's not a difficult problem
but it might be interesting to find out different solutions.
So you have users, and they have passwords, stored in SHA1. You have a
policy which forces users to change their passwords every month or so.
Great idea. Keep track on how many users happen to choose "Januari"
"Februari" and so on.
You require at least one numeric char? November08, December08, Januari09
....
You require at least one non-alphanumeric? November_08, December_08, ...
So how to prevent them using two passwords and interchanging them?
You educate your users, and you stay away from technical non-solutions which
only increase the chance for bugs.
On Nov 7, 10:12*pm, "mijn naam" <whate...@hotmail.invalidwrote:
"Hugh Oxford" <ares...@fas.comschreef in berichtnews:49**********************@news.zen.co.u k...
Hi Folks,
This is more for an intellectual exercise. It's not a difficult problem
but it might be interesting to find out different solutions.
So you have users, and they have passwords, stored in SHA1. You have a
policy which forces users to change their passwords every month or so.
Great idea. Keep track on how many users happen to choose "Januari"
"Februari" and so on.
You require at least one numeric char? *November08, December08, Januari09
...
You require at least one non-alphanumeric? *November_08, December_08, ....
So how to prevent them using two passwords and interchanging them?
You educate your users, and you stay away from technical non-solutions which
only increase the chance for bugs.
I never thought of using the months and years for my password. Great
idea!
Bill H
PS joking... I think :)
Great idea. Keep track on how many users happen to choose "Januari"
"Februari" and so on.
You require at least one numeric char? November08, December08, Januari09
...
You require at least one non-alphanumeric? November_08, December_08, ...
So how to prevent them using two passwords and interchanging them?
You educate your users, and you stay away from technical non-solutions
which
only increase the chance for bugs.
I never thought of using the months and years for my password. Great
idea!
Bill H
PS joking... I think :)
--------
I've seen something similar actually happen. They needed a new password
every three months. Can you think of four different periods throughout a
year? This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Chris |
last post by:
I have a frontend that has some tables which are linked to a backend.
Now I want to make the backend password protected and when I try to
run it password protected I can't open it. In the first...
|
by: Jill Elaine |
last post by:
I am building an Access 2002 frontend with linked tables to an
encrypted Paradox 7 database. When I first create these linked tables,
I'm asked for the password to the encrypted Paradox database,...
|
by: oaksong |
last post by:
I had a web page that worked very nicely until I changed the SA
password.
The page used data widgets for connectivity to SQL server.
I changed the password in the Server Explorer link, but the...
|
by: Adam Carpenter |
last post by:
Hello,
I am having some problems with these functions which are to be part of the
forgotten password system for a website. I am sure it is something simple
but I can't see it. I would be...
|
by: PJones |
last post by:
I am looking for the best way to one way encrypt a password for storage in a
database using (asp.net / vb.net)
basically I need some functions or examples that I can freely use in a
commercial...
|
by: Jozef |
last post by:
Hello,
I've set up VS2003 on my laptop which is running Win XP pro in a stand alone
situation, no domain or dc. When I try and "Create a blank solution", I use
the Laptop IP address since...
|
by: solomon_13000 |
last post by:
I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.
|
by: Hena |
last post by:
Hi
Any ideas how to use the repair option for a corrupted MS Access 2000
database which are on a network drive and used by several users, that
has been password protected?
On opening the...
|
by: teejayem |
last post by:
Hi,
I am new to programming with databases and was wanting some help.
Is there any way to password protect an access database and access
sent sql commands to it via vb.net code?
Any help...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
