Just take the string as bytes and hash it ffs

  • Discover5164@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    the password cannot contains the same sequences of characters as the old password.

    and i have seen this requirement in a service that requires changing it every month for some reasons.

    and this is to manage a government digital identity that allows to log it in all governments websites.

    • PM_me_your_doggo@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      4 months ago

      the password cannot contains the same sequences of characters as the old password.

      That’s a weird way to say “we store your password in plaintext”

      • blackstrat@lemmy.fwgx.uk
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        4 months ago

        Not necessarily. Presumably the change password form requires entering the old and new password at the same time. Then they can compare the two as plain text and hash the old password to make sure it matches, then if so, hash the new password and overwrite it. Passwords stored hashed, comparison only during the change process. A theme on this is checking password complexity rules during the login process and advising to update to something more secure. It’s possible because you’re sending the password as plain text (hopefully over a secure connection), so it can be analysed before computing the hash. This even works if the hash is salt and peppered.