They're not necessarily storing passwords in the clear (though the Texas Secretary of State does[1], so it wouldn't surprise me).

For example, when updating a password on Facebook, they check to see if your new password is similar to your previous one by creating several variants of the new password, hashing them, and seeing if the hash matches any of your old password hashes.

[1] http://plaintextoffenders.com/post/68152196480/sos-state-tx-...

Do you have a source on the Facebook statement? I would be interested in hearing how they create the variants.

Ostensibly this is from a FB engineer, in retrospect I realize I don't know how to verify that: http://security.stackexchange.com/questions/53481/does-faceb...

Unfortunately these asinine password requirements occur quite often. It's basically an indication that the site itself has poor security, and they're requiring a strong password to mitigate that risk. Also, if they are storing the password in plain-text, then it doesn't really matter how many fucking special characters your users have in their passwords :)

Also, users will just write down the password.

Writing down passwords isn't necessarily bad [1].

[1] https://www.schneier.com/blog/archives/2005/06/write_down_yo...

It's kind of a fun working out how many passwords that is.

So letters + numbers + 3 special characters. Our first and last positions can't be special characters, and we can't have the same letters concurrently, so we're in the ballpark of:

62^2 * 64^6 = 264,157,668,573,184 passwords

However, passwords must contain a letter, number, and special character. This means that we can eliminate the entire letters + numbers set, the numbers + specials set, and the letters + specials set:

(62^2 * 64^6) - (62 * 61^7) - (10^2 * 12^6) - (52^2 * 54^6) = 2,261,873,997,098 - Did I get that math right?

That's still a decently large space, but it's small enough to be attackable even if the passwords are hashed.

Two trillion? That's pitiful. That could be cracked even if it's hashed with a slow algorithm.

assuming you have unrestricted access to the user information, which to me usually means I already have unfettered access to your system, why would I need passwords?

Do many systems allow nearly unlimited attempts? Is this common on some platforms? For all except the most locked down users; single task; it pretty much is three strikes your out, call to fix your access.

They're storing passwords in the clear, otherwise they wouldn't be able to enforce the "cannot be too similar" rule.

Not necessarily — if you require the user to type in "old password" and "new password" when they change their password then you have both passwords in cleartext at once and can check for similarity.

You wouldn't be able to enforce "cannot be similar to the previous 8 passwords" like that, but they don't.

The EXACTLY 8 characters worries me, because it suggests that they are storing the password in plaintext in an 8 character column.

Probably stored in 9, 8-character columns, labeled "last_password_1", "last_password_2", etc, given #10.

One 72 character column. Why make it complicated!

> If you have user ID or password problems, use the following address (place in the “To” field) to send an e-mail requesting assistance: websec.adminp@cs.oag.state.tx.us

This poor guy.