On 1/18/2010 5:52 PM, Colin Streicher wrote:
> On January 18, 2010 01:34:15 pm Tompkins Neil wrote:
>> Hi
>>
>> I'm in the process of designing a login system to a secure web page using
>> MySQL. One of the features is we need to record and ensure that the user
>> password is different from any of the last four passwords he/she has used.
>> I was thinking of create four fields called Password1, Password2,
>> Password3 and Password4 to record the old passwords.
>>
>> Is this a preferred method - or does anyone else have any recommendations ?
>>
>> Thanks,
>> Neil
>>
> I'm not an awesome database designer, most of what I do is code related stuff,
> I think what I would do for this is 1. hash the password( sha256/512 whatever)
> and then 2. store the hash in a string with delimiters. In that way, you solve
> 2 problems.
> You can store as many as you want to because you can just check hashes to make
> sure it isn't the same, and second, you aren't storing passwords in plain-
> text, which is a personal pet peeve.
>
Almost always, when you start thinking of fields with numbers at the end
of their names, you should move that off to another table. Example:
PASSWORD_HISTORY
PW_ID
USER_ID <--foreign key linking to the user table
PW_ENTRY
PW_ENTRYDATE
That way all you have to do is write this query:
SELECT * FROM PASSWORD_HISTORY WHERE USER_ID='entry' ORDER BY
PW_ENTRYDATE DESC LIMIT 4;
Although, on an OT, forcing people to not use a password that they have
recently used is a bad idea. What they eventually do is go with
something like "hometown01" "hometown02", etc. Or worse, they start
writing down their passwords which is a whole other security problem.
