RE: Password too similar?
by Kid Stevens <kstevens89(at)comcast.net>
|
| Date: |
Thu, 08 Aug 2002 13:54:06 -0600 |
| To: |
hwg-techniques(at)hwg.org |
| References: |
tharapita |
| |
todo: View
Thread,
Original
|
|
I live and breath PGP encryption upon VPN connections by installing
PGP VPN on my webservers. Everything is passed 4096 Triple DES
encoded.
At 9:29 PM +0300 8/8/02, Lauri Vain wrote:
> > So to your question: windows decodes the entire password
>> file when you add a new password so it reads it, does the
>> compare and then rehashes it. Oh boy if a hacker is watching
>> the temp password file with a javascript when it is unhashed.
>
>Argh, so Windows passwords are not stored as one-way hashes? I thought
>about implementing a "password too similar" routine to my web systems,
>but my policy is to only store one-way hashes of passwords in databases.
>I have some alternative ideas to do this, though (I have to benchmark
>them before implementation to make sure that it's worth it).
>
>Thanks for the information, everybody!
>
>Cheers,
>Lauri
--
Sincerely,
Kid Stevens
"I spend so much time alone that I begin to lose my humanity."
-Yes I stole that from the movie "Wing Commander" and changed 3 words to suit m
HWG hwg-techniques mailing list archives,
maintained by Webmasters @ IWA