It looks for long common substrings between the old and new password, removes them from the new password, and then checks if what is left over passes the strength rules.
So for example, merely tacking '1234' on the end of the password will fail. Or changing 'abcdefghijklmnop' to 'abcdefghXijklmnop'.
Last edited by neonsignal; 11-02-2012 at 05:22 AM.
|