Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That would mean that they're storing the passwords themselves, hopefully encrypted, rather than just a salted slow hash of them. That makes me nervous. Should it?


you could have a form asking for the previous password and the new password... It then checks the previous password against the salted hash and then has the information to compare changes between the old password and new password without having to store anything


Then you[1] can just alternate between two sequences of passwords: password1, cleverme1, password2, cleverme2, ...

[1] Meaning: anyone who wishes to use the service but isn't willing to come up with an unending stream of genuinely different passwords for it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: