RE: Password too similar?

by Kid Stevens <kstevens89(at)comcast.net>

 Date:  Thu, 08 Aug 2002 13:54:06 -0600
 To:  hwg-techniques(at)hwg.org
 References:  tharapita
  todo: View Thread, Original
I live and breath PGP encryption upon VPN connections by installing 
PGP VPN on my webservers.  Everything is passed 4096 Triple DES 
encoded.

At 9:29 PM +0300 8/8/02, Lauri Vain wrote:
>  > So to your question: windows decodes the entire password
>>  file when you add a new password so it reads it, does the
>>  compare and then rehashes it.  Oh boy if a hacker is watching
>>  the temp password file with a javascript when it is unhashed.
>
>Argh, so Windows passwords are not stored as one-way hashes? I thought
>about implementing a "password too similar" routine to my web systems,
>but my policy is to only store one-way hashes of passwords in databases.
>I have some alternative ideas to do this, though (I have to benchmark
>them before implementation to make sure that it's worth it). 
>
>Thanks for the information, everybody!
>
>Cheers,
>Lauri


-- 
Sincerely,
Kid Stevens

"I spend so much time alone that I begin to lose my humanity."
-Yes I stole that from the movie "Wing Commander" and changed 3 words to suit m

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA