Re: password aging

["Stephen P. Gibbons" <steve () aztech net>]

I've been contemplating this issue for one of my own projects, and
have settled on storing a one-way hash of the soundex (or similar
algorithm) of the previous password(s).  This should catch the
"password1" changed to "passward2" changed to "passwurd3"
instances.

Multiple hash values of several commonly used transforms
( eg. "p455w3rd" = "password") would catch most password re-use
without too much overhead.

Storing the hashes system-wide so that user2 wouldn't be
allowed to use a password that had been previously used
by user1 or user3 is another option.  Use a strong hash, and
chmod 0600 the history file if you do this.  Yeah, an HMAC
would work better, but then you can't easily combine histories
and have to protect the key used.

I won't tread on the "reuseable passwords are evil" discussion,
since what I've outlined is to be part of a system that supports
multiple authentication methods (passwords being just one
piece of the puzzle.)

Apologies for rambling, (waaaay off topic to boot)

--
Steve

Paul M. Cardon wrote:

> "H. Morrow Long" thus spake unto me:
> > I'm presuming that you should store hashes of previous passwords,
> > and not store the actual passwords themselves...              - Morrow
>
> That would seem obvious except that a one-way hash will leave you with the
> ability to check for prior use of exactly the same password but not use of a
> closely similar password.
>
> -paul