Jump to content
cristi32

Sunt stocate parolele in clar daca avem activ "history passwords".

Recommended Posts

Salut baieti,

 

nu e o intrebare pt incepatori , dar nu stiam unde sa o pun.

Se stie ca  un sistem ca lumea are parolele hash-uite (Linux - hash cu jump) si practic cand te loghezi sistemul calculeaza hash-ul care il compara cu hash-ul din baza de date. Deci practic administratorul sistemului  nu are acces la parolele utilizatorilor , poate doar sa le schimbe.

Se stie ca orice caracter schimbat sau adaugat in parola schimba cel putin jumate  din hash, de unde si  ireversibilitatea. Totusi eu nu inteleg cum poate functiona un sistem cu "history password" implementat. Eu am suspiciunea ca daca acest sistem e implementat parolele sunt stocate undeva in clar si practic un administrator al sistemului poate sa ajunga la ele.

De exemplu pe un next-generation firewall Cisco cand activezi optiunea aia de force la parole , din parola de 10 caractere daca pastrezi vreo 4 caractere consecutive din aia veche  cand vrei sa schimbi parola , nu te lasa . Eu zic ca nu u are cum sa-si dea seama de aceasta asemanare a parolelor decat daca pastreaza parolele in clar si poate sa faca combinatii pe baza lor. Nu are cum sa-si dea seama de asemanarea parolelor pornind doar de la hash-urile parolelor vechi.

 

Intrebarea s-ar rezuma cam asa.

 

Nu este asa ca atunci cand ai sistemul de comparare a parolei noi cu parolele vechi , parolele sunt de fapt stocate  in clar ( nu hash-uite) in interiorul  sistemului ? si ca administratorul sistemului poate avea destul de lejer acces la ele ?

Link to comment
Share on other sites

https://softwareengineering.stackexchange.com/questions/177342/how-to-implement-a-safe-password-history

 

When the user changes their password, require them to enter their previous password. You now have access to twoplain text passwords, even though you are not storing plain text passwords in your database.

Perform whatever verifications you want on these two passwords. This won't prevent the user from alternating between two passwords (with a suffix - you can prevent direct alternation per the suggestions in other answers), but it will prevent the more blatant cases.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...