|
|
|
|
|
|
by sehrope
4223 days ago
|
|
|
>> Seemed like a good idea until it dawned on me that this means the passwords are stored as plaintext. >There are several ways this can be done without that. >Easiest is if they store the date of the last password change or otherwise know you haven't changed it. If it's old enough, double the plaintext before handing it to the hashing function. Not quite. What you'd need to do is halve the user's entered password if it's older than the cutoff date. If the user enters "foobarfoobar" then you'd halve it to "foobar" before hashing and comparing it to what's stored. If you only have the old hashed password stored then you don't have the hash of the doubled password, nor can you can infer it. This whole approach is silly of course. They should just force everybody to reset their passwords. |
|
|