Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does the system know when a password contains parts of a previous password?

Probably a super basic question. I know many online services hash and salt passwords instead of storing them as plaintext for security purposes. My university's web portal requires students to change their passwords every 6 months. From what I know, the system is built on Oracle software.

My question is, however, how does the system know when my 20 character long password (with capitals, numbers, and symbols) contains 3 characters in the same order as the new password I'm trying to set? If the passwords are hashed, shouldn't the algorithm be one-way? Or is it possible that system encrypts the plaintext passwords and stores them? Wouldn't that be less secure?

Sorry if the question is hard to understand. Let me know if you need me to clarify. Thanks in advance!

like image 424
SamTheSammich Avatar asked Feb 09 '12 20:02

SamTheSammich


People also ask

How are passwords usually stored?

The main storage methods for passwords are plain text, hashed, hashed and salted, and reversibly encrypted. If an attacker gains access to the password file, then if it is stored as plain text, no cracking is necessary.

What is a complex password?

According to Microsoft, complex passwords consist of at least seven characters, including three of the following four character types: uppercase letters, lowercase letters, numeric digits, and non-alphanumeric characters such as & $ * and !. ☑

What is enforce password history?

The Enforce password history policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused. Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time.


2 Answers

If you have to enter your previous password when creating a new one, the system can compare them directly. This could even be done client-side.

EDIT

There are only a few other possibilities

  • They store your password in plaintext (in which case they should fire their entire IT department)
  • Their encryption method is two-way i.e. it can be decrypted (in which case they should fire their entire IT department)
  • They temporarily store your password when you log in. Maybe in a cookie or on the server. (In which case they should fire their entire IT department)
like image 65
Nick Brunt Avatar answered Sep 28 '22 14:09

Nick Brunt


It is likely that the prevoius password table is encrypted (possibly using rot26).

like image 21
Chriseyre2000 Avatar answered Sep 28 '22 15:09

Chriseyre2000