6 comments

[ 2.6 ms ] story [ 24.5 ms ] thread
>After all, you aren't storing my password in it's raw form, so length shouldn't matter for your VARCHAR(30) database field, right?

How can Google (helpfully) tell me that I changed my password so many days ago? Am I over-thinking this? Is it possible they just save the salt and hash of all my previous passwords and when I enter a password, it checks against this list to tell when I changed my password? Just because they know what I entered is my previous password does not mean they actually keep my previous password in plain text, right? It makes sense in my head but I just wanted to ask to more knowledgeable people. Thank you.

Why wouldn't they just store the date of when you last changed your password?
Because they show that only when you type your old password instead of your new one.
I wonder how many people actually use the exact phrase "correct horse battery staple" as their password.
That'd be fine as long as they're not reusing it everywhere.
I don't think so. Any password that's listed anywhere (like as an example in a blog post or comic) should be considered worthless. How do you know hackers haven't incorporated that into their dictionary?