Tags
5200 airplane movie review AMR another amendment down apple bicycle bike bike lane bladerunner car Cars climb climbing dog hack hertz IT iTunes jet lag maps milo movies mustang name newspaper old bike OWS Photography picture of the day PK Dick PotD PR QotD rant Security sport stupidity things that are better TIL trad travel Trek Trek 5200 wildlife workLinks
-
Recent Posts
Archives
Categories
Meta
Correcthorsebatterystaple
ObXKCD:
A thought occurs to me: my place of work (heretofore POW) puts all sorts of requirements on passwords, and also requires that they be changed every 90 days (against best practices), so having worked there for a while, I am long past the point of being able to actually remember a password, or even caring to try. Password manager to the rescue.
However, POWIT also requires that the new password be more than x characters different than the last one. How can they know that, unless they are storing passwords in plaintext? If they’re handling them correctly, then all they should ever see, or be able to see, is a pseudo-random hash that either matches the current password hash or doesn’t. Even if they store the last hash, they shouldn’t be able to tell how far away the new password is away from the last, entropically.
So I’m guessing they’re not actually doing it right. Which is not a big surprise, from the same folks whose best practices brought you the OPM hack.