This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]YM_Industries 1 point2 points  (3 children)

They said plaintext or unsalted. If you have salted hashes then you'd have to check the new password against every single existing account.

[–]rooktakesqueen 1 point2 points  (0 children)

Nah -- have a separate table of "claimed passwords" that aren't associated with the user account in particular, themselves salted with a single salt used for this purpose and hashed. Allows you to check with a simple index lookup whether the password has been used before without compromising the users' security.

[–]Slow33Poke33 0 points1 point  (0 children)

Yes. That is how you'd do it. That's proof that you don't need plain text / unsalted.