[WEB SECURITY] What's the best way to maintain password history?

Darren Bounds dbounds at gmail.com
Thu Nov 10 19:52:37 EST 2011

One drawback in relying solely on a hash for password history policy
enforcement is that won't allow you to perform any level of character
analysis for similarity to previous passwords, only identical ones. A
slightly more complicated but also more flexible system would involve
encryption rather than hashing. This technique is complicated due to the
need for key management.


On Thu, Nov 10, 2011 at 6:23 PM, Justin Scott <leviathan at darktech.org>wrote:

> > I'm looking for the best secure way to manage password
> > history when an user resets(or creates a new) user id in
> > a secure pci dss website.
> It's a pretty rare website that I've seen that allows someone to
> change their username or id once the account has been established.  If
> you're allowing the username / id to be changed, I would link that to
> their existing account records in the database to maintain a
> consistent history of the account.  As for passwords, just store a
> salted hash of their previous passwords for comparison to ensure they
> don't re-use an older one.  I don't recall any specific rules around
> reusing usernames, though you could do much the same if you want/need
> to prevent their reuse.
> -Justin Scott
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


Thank you,
Darren Bounds
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20111110/e553fc68/attachment-0003.html>

More information about the websecurity mailing list