[zerokyuu]

I completely agree. My university required you to change your password every 90 days. Not such a bad idea, however, they compare your new password against all previous passwords to make sure they are significantly different (e.g. you can't change your password from abcdefg to abcdeff). I'm assuming this means they save your passwords in clear text somewhere. Not exactly the type of people I'd trust with sensitive information.

EDIT: meastham makes a good point and he/she could definitely be right about generating hashes of all slight variations of each password. In response to what fname said, I'm wondering if there are any security concerns about being able to find similarities in hashes for similar passwords.

[meastham]

That doesn't mean that they're storing your passwords in the clear. They could simply be keeping hashes of your old passwords around and checking simple variations of the new password you're trying to use.

[Locke1689]

If I understand what you're suggesting, it is that they generate a list of slight variations to the new password, has it, then compare it to the old password, right?

I think many people are misunderstanding what you're saying i.e., they think you're saying that similarities between hashes correspond to similarities between passwords.

[fname]

In the Windows/AD world, this is not true. AD will never store a current or previous password in clear-text. AD will, however, compare the password hashes before it will accept the new password when this type of setting is enabled.

EDITed to add: There's some logic to detect how close a new password is to an old one. Mainly, it's looking for consistencies between the 2.

[p858snake]

You can easily tell AD (at least in 03) to store passwords in plain text (for backwards compatibility).

[nopassrecover]

Why are you assuming that? You can compare hashes ("does the encrypted version of what they entered as a new password equal any of the encrypted previous passwords").

[lftl]

If by hash you mean a one-way hashing system, then he did say significantly different and not just different. You couldn't do that with any common one-way hash.

[nopassrecover]

You're correct, I didn't understand what he meant by significantly different until you pointed out because I have never encountered a system that didn't allow me to have a "similar password". However, I have encountered ones where my new password could not contain previous passwords, so unless they are hashing each component of my password and comparing this probably does indicate clear-text storage.