Skip to content

Correcthorsebatterystaple

ObXKCD:

 
 

A thought occurs to me: my place of work (heretofore POW) puts all sorts of requirements on passwords, and also requires that they be changed every 90 days (against best practices), so having worked there for a while, I am long past the point of being able to actually remember a password, or even caring to try. Password manager to the rescue.

However, POWIT also requires that the new password be more than x characters different than the last one. How can they know that, unless they are storing passwords in plaintext? If they’re handling them correctly, then all they should ever see, or be able to see, is a pseudo-random hash that either matches the current password hash or doesn’t. Even if they store the last hash, they shouldn’t be able to tell how far away the new password is away from the last, entropically.

So I’m guessing they’re not actually doing it right. Which is not a big surprise, from the same folks whose best practices brought you the OPM hack.