valleyer 4 days ago

Um, that's a really bad sign...

Reply View 12 replies
  • rocqua 4 days ago

    No, you can do it safely. The idea is to have the password renewal process also ask for the previous password.

    This means the password changing method doesn't need to store a plaintext password, but still has access to the old plaintext password when changing. It's still not a great idea, but that's because nagging your users will see them choose worse passwords.

    Reply View 1 reply
  • klysm 4 days ago

    To elaborate for the uninitiated, that means they are storing it in plaintext somewhere.

    Reply View 6 replies
    • mattmanser 4 days ago

      No it doesn't. Shows you how complicated all this is and how the un-initiated (including me) should learn to not give their two cents.

      When you do the password change it asks you for the old one, that's how it knows.

      So it asks for old + new, checks old is correct against the hash, and then compares old + new likeness.

      So it all happens in memory.

      Reply View 0 replies
    • _moof 4 days ago

      Unless they ask you for your current password as part of the password change flow.

      Reply View 0 replies
    • mx_03 4 days ago

      Is there any way to check that with non-plain-text password?

      Reply View 3 replies
      • jchw 4 days ago

        Actually it can be trivial as long as you can require the user to re-type the current password when entering a new password; check hash first, then check edit distance with the entered "current password" (and, of course, promptly throw it away once you know the edit distance.)

        Reply View 2 replies
  • dspillett 4 days ago

    Not if the check is done client-side, so the plain password never leaves you local domain. Of course the check being done client-side means that it isn't difficult to skip if you are inclined to make a smidgin of effort.

    Reply View 2 replies
    • thih9 4 days ago

      It can be done server side too, the old password can be sent along the new one and the server can verify it.

      Reply View 1 reply
      • dspillett 2 hours ago

        Yes, what I meant to say that it doesn't even have to be done server-side, so the fact it happens doesn't imply the server ever sees the old password beyond it's initial setting.

        Reply View 0 replies