List:General Discussion« Previous MessageNext Message »
From:John Meyer Date:January 19 2010 1:03am
Subject:Re: Record old passwords ?
View as plain text  
On 1/18/2010 5:52 PM, Colin Streicher wrote:
> On January 18, 2010 01:34:15 pm Tompkins Neil wrote:
>> Hi
>>
>> I'm in the process of designing a login system to a secure web page using
>> MySQL.  One of the features is we need to record and ensure that the user
>> password is different from any of the last four passwords he/she has used.
>>   I was thinking of create four fields called Password1, Password2,
>>   Password3 and Password4 to record the old passwords.
>>
>> Is this a preferred method - or does anyone else have any recommendations ?
>>
>> Thanks,
>> Neil
>>
> I'm not an awesome database designer, most of what I do is code related stuff,
> I think what I would do for this is 1. hash the password( sha256/512 whatever)
> and then 2. store the hash in a string with delimiters. In that way, you solve
> 2 problems.
> You can store as many as you want to because you can just check hashes to make
> sure it isn't the same, and second, you aren't storing passwords in plain-
> text, which is a personal pet peeve.
>


Almost always, when you start thinking of fields with numbers at the end 
of their names, you should move that off to another table.  Example:


PASSWORD_HISTORY
PW_ID
USER_ID  <--foreign key linking to the user table
PW_ENTRY
PW_ENTRYDATE


That way all you have to do is write this query:

SELECT * FROM PASSWORD_HISTORY WHERE USER_ID='entry' ORDER BY 
PW_ENTRYDATE DESC LIMIT 4;


Although, on an OT, forcing people to not use a password that they have 
recently used is a bad idea.  What they eventually do is go with 
something like "hometown01" "hometown02", etc.  Or worse, they start 
writing down their passwords which is a whole other security problem.




Thread
Record old passwords ?Tompkins Neil18 Jan
  • Re: Record old passwords ?SH18 Jan
  • Re: Record old passwords ?Carsten Pedersen18 Jan
  • Re: Record old passwords ?Colin Streicher19 Jan
    • Re: Record old passwords ?John Meyer19 Jan
      • RE: Record old passwords ?Daevid Vincent20 Jan
        • Re: Record old passwords ?Jørn Dahl-Stamnes20 Jan
          • Re: Record old passwords ?Tompkins Neil22 Jan
            • Re: Record old passwords ?Suresh Kuna27 Jan
    • Re: Record old passwords ?Carlos Proal19 Jan
      • Re: Record old passwords ?Tompkins Neil19 Jan
        • Re: Record old passwords ?Tompkins Neil19 Jan
          • Re: Record old passwords ?Mark Goodge19 Jan
            • Re: Record old passwords ?John Meyer21 Jan
              • RE: Record old passwords ?Jerry Schwartz21 Jan
          • Re: Record old passwords ?Lucio Chiappetti21 Jan
            • Re: Record old passwords ?Mark Goodge21 Jan
        • Re: Record old passwords ?Mark Goodge19 Jan
Re: Record old passwords ?Tompkins Neil19 Jan