Another interesting discussion broke out on twitter today about Yahoo! preventing people from using passwords which are too similar to passwords that they have used in the past. I agree with the general direction this discussion took - Yahoo is probably storing plain text or encrypted passwords violating my 6 rules of password storage, however it got me thinking: Is it possible to achieve a similar password filter in a secure way?

An interesting question came up during my PHP North West unconf talk about The 6 rules of password storage: “How should you store a password for SMTP login?”. This is a slightly different problem to storing a users password for your own site and requires a different solution. I’ve decided to expand upon the answer I gave at the time to provide a reference for anyone else who has this problem.

Defects in software are costly, some more so than others, so it is not surprising that TDD and BDD are becoming almost a standard part of software development. TDD and BDD are not the only ways to prevent defects in software - good object oriented code will also help reduce the rate of defects.

This post is intended as a set of guidelines (not rules) which I have adopted over the past few years to write code which has a low rate of defects, is easy for others to peer review and above all tries not to set traps and gotchas for the next developer who has to work with the code.