Just take the string as bytes and hash it ffs

  • @[email protected]
    link
    fedilink
    English
    34 months ago

    the password cannot contains the same sequences of characters as the old password.

    and i have seen this requirement in a service that requires changing it every month for some reasons.

    and this is to manage a government digital identity that allows to log it in all governments websites.

    • @PM_me_your_doggo
      link
      English
      1
      edit-2
      4 months ago

      the password cannot contains the same sequences of characters as the old password.

      That’s a weird way to say “we store your password in plaintext”

      • @[email protected]
        link
        fedilink
        English
        24 months ago

        Not necessarily. Presumably the change password form requires entering the old and new password at the same time. Then they can compare the two as plain text and hash the old password to make sure it matches, then if so, hash the new password and overwrite it. Passwords stored hashed, comparison only during the change process. A theme on this is checking password complexity rules during the login process and advising to update to something more secure. It’s possible because you’re sending the password as plain text (hopefully over a secure connection), so it can be analysed before computing the hash. This even works if the hash is salt and peppered.