Similarity comparisons with hashed passwords possible?

No, it does not mean they are storing the passwords in plain text. The question doesn't completely describe the behavior. Are they matching patterns only from your current password, or patterns from all 8 of your previous passwords?

If it's the first case, the answer is dead simple, and this is that they have the hashes from the 8 previous passwords to compare against, and when you change your password, you enter your current password as well as your new password, and they now have both of these in plain text to compare for patterns. This is more likely what is happening.

If it is the second case, there are still several other ways this could be done, including storing the passwords in an encrypted (rather than hashed) format, so they can be decrypted and compared, or storing the pattern (or mask) of your passwords along with the hashes and then disallowing new passwords that match any of those old masks. Arguably these options are not as secure as just storing the hashes, but that shouldn't particularly concern you... It's risk to the business not to you, and if they feel it's acceptable risk, then that is their decision. Your only concern (and regardless of the password policy at your company, this should always be a concern for you) is to ensure that the passwords you use for work network are different than the passwords you use everywhere else, so a compromise of your work password doesn't endanger your personal accounts and vice versa.

Tags:

Passwords

Hash