Andrew Bartlett wrote:
> or else your users change from password1
> to password2 to password3 then back to password1.
They sure do! I hate that...
I spoke to my colleague, and he refreshed my memory
about that part: we variously used crypt or an MD4
hash to encrypt passwords and stored the encrypted
form in a lookup table of N elements per user. If
someone changed their password, we encrypted it
and looked to se if it was already there, and if not
replaced the oldest stored copy.
To avoid collisions with other people's
passwords causing false positives, we generated
a salt from the userid, and applied it as part of
the encryption, but did not store the salt in the
lookup table so you couldn't see it was salted
deterninistically from just looking at the
file.
--dave
--
David Collier-Brown, | Always do right. This will gratify
Sun Microsystems DCMO | some people and astonish the rest.
Toronto, Ontario |
(905) 415-2849 or x52849 | [EMAIL PROTECTED]
