On 11/03/2010 10:41 AM, Robert Brockway wrote:
[snip]
Personally I don't think much of keeping a record of old password
hashes but for a different reason: they are easily circumvented by
the user changing their password several times until they can reuse
the old one again.
Then, instead of retaining N number of hashes, you keep N number of
days/months of hashes.
Some organisations have tried to prevent this by
limiting how quickly passwords can be changed - the problem with
this approach should be obvious :)
--
Seek truth from facts.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4cd21a14.7090...@cox.net
