I am wondering how the password policy "your new password must differ at least n characters from your old password" works.
My understanding is that the OS never actually stores the old passwords themselves, but their hash codes instead. And there is no way of knowing in how many characters the two strings differ if you have only their hash codes.
Am I right in the guess that it can work only if the passwd
program asks you explicitly at the same time also for your old password?
And is the consequence that if a root user changes someone else's password, the "number of different characters" policy simply cannot be applied here?