Every now and then I come across applications that force you to change passwords once in a while. Almost universally, they have this strange requirement for the new password: it has to be "significantly" different from your previous password(s).
While at first this sounds logical, next thing I think is: how do they do that? Do they store my passwords in plain text? I would have accepted the answer that they do, if it wasn't for the fact that these are kinds of applications that pretend to care about security so much they force you to change your password if it is expired! Microsoft Exchange is one example of this.
I'm not very good at cryptography and hash functions, so my question is this: Is it possible to enforce this kind of policy without storing passwords in plain text?
Do you know how this policy is implemented in real world applications?
UPDATE: An Example. I was recently changing my Microsoft Exchange password. I only use Web Access, so it might be different a little -- I have no idea. So, it forces me to change my password. What I do sometimes is I change it to something new and then change it back almost immediately. The freaky part is that It did not allow me to even change it back because of this. I tried changing it a little, by adding a letter in front of it or changing one symbol -- no luck, it was complaining.
Two factors determine a password's strength: length and complexity. A password's length is determined by the number of characters in the password. For example, the password asdf1234 has a length of eight characters. Most cPanel & WHM passwords require a minimum password length.
According to guidance offered by the National Institute of Standards and Technology (NIST), password length is more important than password complexity. This actually makes a lot of sense as longer passphrases take longer to crack, and they are easier to remember than a string of meaningless characters.
The longer the password, the longer it will take to crack. When a password cracker has more characters to fill to guess the correct password, it's exponentially less likely to get it right. In other words, you don't need a complex password with lots of fancy special characters if you have a long password.
With a typical hash, the best you can do is see if the new password is exactly equal to previous ones. You can break the password into multiple hashes in order to get more flexible with comparison, for example 3 hashes:
You could for example require all the hashes to change to be accepted, to prevent users from just changing their password from SecretPassword01
to SecretPassword02
.
A cryptographic expert may weigh in here on if this could be made as secure as a single hash.
NOTE that this is not as secure as a single hash, so before you go implementing this, make sure you have really done your research.
When changing password you're usually asked for the old one to confirm your identity. It's then trivial to compare the old one and the new one to see how much they differ. TBH I don't know how to compare to several previous passwords without storing them, but that's getting into the territory of ridiculous policies anyway.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With