Re: password administration

On 05.08.2010 22:54, Tom Lane wrote:
> Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> writes:
>
>> On Thu, Aug 5, 2010 at 2:20 PM, Craig James <craig_james(at)emolecules(dot)com> wrote:
>>
>>> A better solution is to implement a password-strength algorithm and require
>>> people to select decent passwords to begin with.
>>>
>
>> Exactly. If you allow simpler passwords that have to be changed you
>> get things like:
>>
>
>> ilovemywife22 md5: b845aec254d018d118fe52c46ee8c98c
>>
>
>> changed to
>>
>
>> ilovemywife23 md5: 8c2b59e4d961478e3a9d5bd94979f329
>>
>
>> You can't tell how close they are by the md5. If you try to prevent
>> people from reusing similar passwords, then you have to store either
>> the previous passwords (bad security) or something like a soundex of
>> the previous password (also bad security.)
>>
> A place I know but won't name has a policy of storing your last five
> passwords (hopefully in md5'd form, but I don't actually know that) and
> not letting you reuse those. Of course this merely encourages people to
> use a cycle of six or so passwords, like something they can remember
> with one digit tagged on.
>
Hi!
Such a policy is in force in my country (Poland) but only if system
contains personal data. (government law)
8 or more characters - 2 capital letters, 2 digits
And... sometimes this is pain in the... but we don't have a choice.

TIP: you don't need 6 passwords - just 2 - with different one character ;-)

--
Andrzej Zawadzki