I can't resist pointing out that this is an AWFUL policy. You
will be
remembering peoples passwords, a history of them, which are
very likely to be used on other systems. Thats really bad. I wonder
(at least in the USA) what would happen to your company if that
data was ever stolen?
--STeve Andre'
Ahhh, .. that's what hash's are for; easily recreatable given
duplicate
input strings, but creating the input string FROM the hash is just
about
impossible [lacking near infinate resources].
Not to bicker, but the resources needed to use a database of all
possible passwords even with alphanumerics and salted is very finite
-- albeit large. If we are talking about login() that is. Our company
maintains one for 8 characters and while requiring a large database
still makes cracking passwords of finding collisions a trivial chore
for 8 character passwords. We are currently working on one that will
handle 13 character strings and hope to have it running by the end of
the year.
Just don't want people to think that they are safe as is not an NP-
complete problem. It is an NP-hard problem however.
CU
Chet Uber
President and Principal Scientist
SecurityPosture, Inc.
3718 N 113th Plaza, Omaha, NE 68164
vox +1 (402) 505-9684 | fax +1 (402) 932-2130 | cell (402) 813-3211
[EMAIL PROTECTED] | www.securityposture.com
--------------------------------------------------------
'It is vain to do with more what can be done with fewer'
--------------------------------------------------------
-- This communication is confidential to the parties it was intended
to serve --
