password records done the correct way

[Destramic]

hey guys i want to pick you brains regarding user password records please.

 

what im trying to achieve is when the user changes his/her password in 6 months time that its not the same as previous passwords.

 

when a user registers i use password_hash() for the password and insert into users database table...now i want to keep a record of passwords in my password_records table.

 

1. do i save the password (not hashed) so i can compare in later in the future?

or

2. save the hashed password in the password records and do a foreach loop of the password hashes using password_verify()?

 

may seem transparent to go with the lata, but any advise or a better solution would be great.

 

thank guys

 

 

[NotionCommotion]

If you are going to save the passwords in the database, don't even bother hashing them in the first place.  That being said, you don't want to not hash your passwords, thus do the second choice!

[Ch0cu3r]

If you are going to allow the user to change their password then all you need to do is get the user to provide their current password and their new password. If hashing their current password matches the password hash stored in the database then you hash the new password they provided and update the password hash stored in the database.

[NotionCommotion]

If you are going to allow the user to change their password then all you need to do is get the user to provide their current password and their new password. If hashing their current password matches the password hash stored in the database then you hash the new password they provided and update the password hash stored in the database.

 

I've seen applications which prevent me from using the same password if used for the past 10 passwords.  Don't know if this really improves security as it forces one to put sticky notes all over their monitor, and it gets hard to even see the monitor thru all of them.  But if this functionality was desired, you would need to store the previous hashed passwords.

[kicken]

If you want to prevent them from re-using upto x passwords, then what you'd want to do is save the prior hash values and compare the new value with them. Storing the unhashed password would mean that anyone who gained access to the database would be able to see all the user's current (and prior) passwords in plain text. Since people often re-use their password leaking a user's password not only gives the attacker the password for your site, but potentially many over sites the user also uses.

 

I personally wouldn't worry about anything beyond checking their new password isn't the same as the current password (if even that). If they want to re-use some password let them. There's nothing I hate more than a site telling me my chosen password is no good, regardless of the reason why they think it's no good.

[NotionCommotion]

There's nothing I hate more than a site telling me my chosen password is no good, regardless of the reason why they think it's no good.

 

I totally agree.  For most applications, the user should assess the risk, and chose a  password of applicable strength.

[Destramic]

i'm not a great fan of passwords being changed on demand either but thought it may help security...but thank you for you views and help guys...gonna go with looping it and checking it through a loop

 

cheers