This is a general question regarding NTLM password hashing and password policy enforcer programs.

If Windows & Samba only stores the hash value of a user's password (which by definition is a one way computation), when it comes time for the user to change his/her password, how do password policy enforcers know what the user's past 5 - 10 passwords are to check against?

Are the passwords usually stored in a db created by password policy enforcer program or is the password stored somewhere else on the system?

Thanks in advanced for any responses.

Hugo Kleinhans