
Please, Stop Helping the Hackers Guess My Passwords - andrewmunsell
http://www.andrewmunsell.com/blog/passwords#.UT4h1rm3410.hackernews
======
3825
>After all, you aren't storing my password in it's raw form, so length
shouldn't matter for your VARCHAR(30) database field, right?

How can Google (helpfully) tell me that I changed my password so many days
ago? Am I over-thinking this? Is it possible they just save the salt and hash
of all my previous passwords and when I enter a password, it checks against
this list to tell when I changed my password? Just because they know what I
entered is my previous password does not mean they actually keep my previous
password in plain text, right? It makes sense in my head but I just wanted to
ask to more knowledgeable people. Thank you.

~~~
davidddavidson
Why wouldn't they just store the date of when you last changed your password?

~~~
klez
Because they show that only when you type your old password instead of your
new one.

------
jeremyjh
I wonder how many people actually use the exact phrase "correct horse battery
staple" as their password.

~~~
3825
That'd be fine as long as they're not reusing it everywhere.

~~~
h0w412d
I don't think so. Any password that's listed anywhere (like as an example in a
blog post or comic) should be considered worthless. How do you know hackers
haven't incorporated that into their dictionary?

