List:General Discussion« Previous MessageNext Message »
From:Tompkins Neil Date:January 19 2010 2:56pm
Subject:Re: Record old passwords ?
View as plain text  
Yes, I was thinking something along these lines e.g can only change password
once a day ?  Also, what do operating systems like Windows etc do in this
respect ?

Cheers
Neil

On Tue, Jan 19, 2010 at 2:53 PM, David Lazo <lazo.david@stripped> wrote:

> I would say make it more difficult for the user add another field with a
> flag or a date and not allow changing the password on the same date.
>
>
>
> On Tue, Jan 19, 2010 at 9:44 AM, Tompkins Neil <
> neil.tompkins@stripped> wrote:
>
>> Hi All,
>>
>> Following on from my earlier email - I've the following question now :
>>
>> I can enforce that the user can't use the same password as the previous
>> four
>> - when they change their password.  However, the user can manipulate this
>> by
>> changing the password four times and then resetting back to there original
>> password.  How would I overcome this problem ? Any thoughts or
>> recommendations ?
>>
>> Cheers
>> Neil
>>
>> On Tue, Jan 19, 2010 at 9:14 AM, Tompkins Neil <
>> neil.tompkins@stripped
>> > wrote:
>>
>> > Hi
>> >
>> > Thanks for all the replies.  For your information, we are going to store
>> > passwords using SHA256.   I think I will go with the four additional
>> column
>> > approach as I proposed (in the current table) - since this need is a PCI
>> > compliancy security requirement.  I can then pull all the data with one
>> > query.
>> >
>> > I don't envisage that we will need to record the last 20 passwords as a
>> > example in the future - so if I need to expand in the future it should
>> not
>> > be too involved.
>> >
>> > Cheers
>> > Neil
>> >
>> >
>> > On Tue, Jan 19, 2010 at 1:11 AM, Carlos Proal <carlos.proal@stripped
>> >wrote:
>> >
>> >> On 1/18/2010 6:52 PM, Colin Streicher wrote:
>> >>
>> >>> On January 18, 2010 01:34:15 pm Tompkins Neil wrote:
>> >>>
>> >>>
>> >>>> Hi
>> >>>>
>> >>>> I'm in the process of designing a login system to a secure web
> page
>> >>>> using
>> >>>> MySQL.  One of the features is we need to record and ensure that
> the
>> >>>> user
>> >>>> password is different from any of the last four passwords he/she
> has
>> >>>> used.
>> >>>>  I was thinking of create four fields called Password1,
> Password2,
>> >>>>  Password3 and Password4 to record the old passwords.
>> >>>>
>> >>>> Is this a preferred method - or does anyone else have any
>> >>>> recommendations ?
>> >>>>
>> >>>> Thanks,
>> >>>> Neil
>> >>>>
>> >>>>
>> >>>>
>> >>> I'm not an awesome database designer, most of what I do is code
>> related
>> >>> stuff,
>> >>> I think what I would do for this is 1. hash the password(
> sha256/512
>> >>> whatever)
>> >>> and then 2. store the hash in a string with delimiters. In that
> way,
>> you
>> >>> solve
>> >>> 2 problems.
>> >>> You can store as many as you want to because you can just check
> hashes
>> to
>> >>> make
>> >>> sure it isn't the same, and second, you aren't storing passwords in
>> >>> plain-
>> >>> text, which is a personal pet peeve.
>> >>>
>> >>>
>> >>>
>> >>
>> >> Neil,
>> >> As others appointed, having another table with old passwords is a good
>> >> "design" solution, and can allow you to have more than 4 passwords on
>> your
>> >> history. But in fact your solution is the best solution for performance
>> and
>> >> is called "denormalization", this solution gives good performance
>> because in
>> >> 1 read you get all the passwords but has the limitation of be "fixed"
>> to
>> >> only 4 passwords (which is not so bad because you can add new columns
>> as
>> >> needed, you will never have 20 history passwords anyway, do you ?).
>> >> So, thats the trade, design vs performance, you should pick the best
>> for
>> >> you.
>> >>
>> >> The solution proposed by Colin is another way to do it but, from the
>> good
>> >> design perspective is NOT a good solution, is what its called a
>> "multivalued
>> >> attribute" and all those should be avoided. But again, is up to you.
>> >>
>> >> Carlos
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> MySQL General Mailing List
>> >> For list archives: http://lists.mysql.com/mysql
>> >> To unsubscribe:
>> >> http://lists.mysql.com/mysql?unsub=1
>> >>
>> >>
>> >
>>
>
>

Thread
Record old passwords ?Tompkins Neil18 Jan
  • Re: Record old passwords ?SH18 Jan
  • Re: Record old passwords ?Carsten Pedersen18 Jan
  • Re: Record old passwords ?Colin Streicher19 Jan
    • Re: Record old passwords ?John Meyer19 Jan
      • RE: Record old passwords ?Daevid Vincent20 Jan
        • Re: Record old passwords ?Jørn Dahl-Stamnes20 Jan
          • Re: Record old passwords ?Tompkins Neil22 Jan
            • Re: Record old passwords ?Suresh Kuna27 Jan
    • Re: Record old passwords ?Carlos Proal19 Jan
      • Re: Record old passwords ?Tompkins Neil19 Jan
        • Re: Record old passwords ?Tompkins Neil19 Jan
          • Re: Record old passwords ?Mark Goodge19 Jan
            • Re: Record old passwords ?John Meyer21 Jan
              • RE: Record old passwords ?Jerry Schwartz21 Jan
          • Re: Record old passwords ?Lucio Chiappetti21 Jan
            • Re: Record old passwords ?Mark Goodge21 Jan
        • Re: Record old passwords ?Mark Goodge19 Jan
Re: Record old passwords ?Tompkins Neil19 Jan