[e28eta]

It's pretty easy to keep a list of old salted hashes, and copmare the new password's salted hash against the previous ones. It doesn't require saving the old passwords.

[ikeboy]

If the salt changes, you'd need to compute the password using multiple salts, which might have crypto guarantee issues when sent to the server.

[niftich]

I don't follow what you're saying.

To compare your new password with your old password, you take the old salt, hash your new password together with it, and compare the result to the old hash. If they match, you're trying to reuse the same password. You do this on the server side, naturally.

[ikeboy]

If everything is done server side, sure.

[niftich]

Why wouldn't it be?

If salted hashing were done on the client side, it means you're actually sending username + saltedhash, instead of username + password to the server to log in.

So an attacker could submit a precomputed or stolen salted hash to be compared against the stored one -- completely defeating the point of hashing passwords in the first place.

[ikeboy]

>Why wouldn't it be?

So that the server never gets any plaintext.

>So an attacker could submit a precomputed or stolen salted hash to be compared against the stored one -- completely defeating the point of hashing passwords in the first place.

You could hash once on the client and once on the server to get the best (?) of both worlds. Really only the server one needs to be salted.

[icebraining]

I don't see what hashing on the client gets you.