Firewall Wizards mailing list archives
Re: password aging
From: Adam Shostack <adam () weathership homeport org>
Date: Mon, 24 Aug 1998 10:27:00 -0400
Several people have suggested this, some in private mail. If
you store old passwords in a different format than the OS, you may
well be opening up a security vulnerability.
Here, I can trial passwords as l0phtcrack does, because you're
storing a hash, and forgot the salt. Its likely that even with a
salt, you're still vulnerable to a faster attack than UNIX crypt. So,
if you're implementing this stuff, be careful.
| I'm presuming that you should store hashes of previous passwords,
| and not store the actual passwords themselves.
|
| From: Adam Shostack <adam () weathership homeport org>
| > Various people assert that its a good idea to maintain a
| >history of user passwords so that they can't change their password to
| >a previous password. However, I'm having trouble finding a reference
| >to this in the literature that examines the issue of how many
| >passwords to save and why. The lime green book (password management)
| >says not to let the user use their previous password, but doesn't go
| >into storing a history.
| >
Current thread:
- password aging Adam Shostack (Aug 19)
- Re: password aging Rick Smith (Aug 23)
- <Possible follow-ups>
- Re: password aging Steve Bellovin (Aug 19)
- Re: password aging R. DuFresne (Aug 23)
- Re:password aging Harvey Nusz (Aug 19)
- Re: password aging HASSAN . KARIM (Aug 19)
- Re: password aging H. Morrow Long (Aug 23)
- Re: password aging Adam Shostack (Aug 24)
- Re: password aging Paul M. Cardon (Aug 26)
- Re: password aging Stephen P. Gibbons (Aug 27)
- Re: password aging Massimo Brogioni (Aug 27)
- Re: password aging John McDermott (Aug 24)
- Re: password aging Paul McNabb (Aug 28)
- Re: password aging Stephen P. Gibbons (Aug 28)
- Re: password aging Paul McNabb (Aug 28)
- Re: password aging Stephen P. Gibbons (Aug 30)
- RE: password aging KirkAdams (Aug 30)