Tim: >> If you're storing *old* passwords that you don't want people to use >> again, would it matter if they're stored as plain text? I would imagine >> that you could just add them to a banned passwords list. Les Mikesell: > They may still be used elsewhere, and if you see a sequence of > passwords an individual has used you may notice a pattern that > will help you guess the current one. Good point. Though you'd have to know which user had used which passwords, and you'd be guessing at where they might use them. On that note, different services having different requirements on what you can use as a password could actually be beneficial - making it less likely that a user will use the same password elsewhere. > But the real issue is that the usual way that you would have such at > list is that you saved it from the time each password was created - > meaning you had the plain text while they were active too. Perhaps not necessarily. At the time a password change gets enforced, you could add it to the banned list. Of course that doesn't stop some twit from changing from "secret1" to "secret2", unless your banning list works for partial matches. -- (Currently running FC4, occasionally trying FC5.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
