I have what seems to be mutually exclusive requirements for password policy that I’m not sure how to implement.
The first two are reasonable. store hashed passwords and a new password much not match the last 5.
The requirement I can’t figure out is “require the change of at least 8 characters in the password when passwords are changed”. The only thing I can think of for this is requiring the current password, validating that and then comparing the current and new passwords. Does anyone have any idea if I can even do this via a SPI?