From: Daevid Vincent Date: January 20 2010 12:10am Subject: RE: Record old passwords ? List-Archive: http://lists.mysql.com/mysql/220314 Message-Id: <476A6E0804EA456C88BAD813411A6BCA@mascorp.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =20 > -----Original Message----- > From: John Meyer [mailto:john.l.meyer@stripped]=20 > Sent: Monday, January 18, 2010 5:04 PM > To: colin@stripped; mysql@stripped > Subject: Re: Record old passwords ? > > Although, on an OT, forcing people to not use a password that they > have recently used is a bad idea. What they eventually do is go with=20 > something like "hometown01" "hometown02", etc. Or worse, they start=20 > writing down their passwords which is a whole other security problem. Amen to that. At my work, they require a password change every month, = but they store the last 6 passwords you used, so I do exactly what you say = -- I have a logbook and store the same 6 passwords in it and just cycle them. Other "tricks" I do, is use a pattern on the keyboard and just shift it. None of this is secure, and I totally know it (although I'm not picking "secret" or something as my PW, it's random letters/numbers/symbols). = But I hate the policy and I'm kind of a rebel like that. ;-p It's a tough balance between trying to be secure because you have = "ID-10t" users and not being obnoxious to the end result that you have caused = more insecurity. Personally, I would suggest to just enforce strong password rules ( >8 characters, no dictionary words, no 'leet' speek, symbol required, one upper required, one number requred, etc.) and leave it at that. But you had better be enforcing this for something like a bank or medical records. If you're trying to do this for a blog or social = network site or something equally trite, then you're doing your users a = disservice and only serving to frustrate them. And of course, you NEVER store the actual password. You store a hash of = it. Then implement a simple system to generate a new password and mail it, = or a token to enable the user to change it if forgotten. =D0=C65=CF=D0=20 "Some people, when confronted with a problem, think 'I know, I'll use XML.'" Now they have two problems.=20