• abraxas@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    They shouldn’t be storing the old password hashed, either. Expired password hashes should be destroyed like any other potentially-sensitive information that is no longer business critical.

    There is a reason hackers look to get users tables even though the passwords are hashed. Because with enough of them and enough time, they can usually figure out plaintext. Giving them 10 previous hashed passwords for each user is just increasing the hypothetical risk.

    • psilocybin@discuss.tchncs.de
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      You’re right ofc if you wanted to make a general remark, but wrong if you thought that was what I was implying. Never store hash histories, kids!