RE: Password too similar?

by "Lauri Vain" <lauri_lists(at)tharapita.com>

Date:	Thu, 8 Aug 2002 21:29:11 +0300
To:	"'Kid Stevens'" <kstevens89(at)comcast.net>, <hwg-techniques(at)hwg.org>
In-Reply-To:
	todo: View Thread, Original

> So to your question: windows decodes the entire password 
> file when you add a new password so it reads it, does the 
> compare and then rehashes it.  Oh boy if a hacker is watching 
> the temp password file with a javascript when it is unhashed.

Argh, so Windows passwords are not stored as one-way hashes? I thought
about implementing a "password too similar" routine to my web systems,
but my policy is to only store one-way hashes of passwords in databases.
I have some alternative ideas to do this, though (I have to benchmark
them before implementation to make sure that it's worth it).  

Thanks for the information, everybody! 

Cheers, 
Lauri

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA