On 11/03/2010 10:41 AM, Robert Brockway wrote: [snip]
Personally I don't think much of keeping a record of old password hashes but for a different reason: they are easily circumvented by the user changing their password several times until they can reuse the old one again.
Then, instead of retaining N number of hashes, you keep N number of days/months of hashes.
Some organisations have tried to prevent this by limiting how quickly passwords can be changed - the problem with this approach should be obvious :)
-- Seek truth from facts.