Firewall Wizards mailing list archives
Re: password aging
From: "Stephen P. Gibbons" <steve () aztech net>
Date: Wed, 26 Aug 1998 17:02:14 -0700
I've been contemplating this issue for one of my own projects, and have settled on storing a one-way hash of the soundex (or similar algorithm) of the previous password(s). This should catch the "password1" changed to "passward2" changed to "passwurd3" instances. Multiple hash values of several commonly used transforms ( eg. "p455w3rd" = "password") would catch most password re-use without too much overhead. Storing the hashes system-wide so that user2 wouldn't be allowed to use a password that had been previously used by user1 or user3 is another option. Use a strong hash, and chmod 0600 the history file if you do this. Yeah, an HMAC would work better, but then you can't easily combine histories and have to protect the key used. I won't tread on the "reuseable passwords are evil" discussion, since what I've outlined is to be part of a system that supports multiple authentication methods (passwords being just one piece of the puzzle.) Apologies for rambling, (waaaay off topic to boot) -- Steve Paul M. Cardon wrote:
"H. Morrow Long" thus spake unto me:I'm presuming that you should store hashes of previous passwords, and not store the actual passwords themselves... - MorrowThat would seem obvious except that a one-way hash will leave you with the ability to check for prior use of exactly the same password but not use of a closely similar password. -paul
Current thread:
- password aging Adam Shostack (Aug 19)
- Re: password aging Rick Smith (Aug 23)
- <Possible follow-ups>
- Re: password aging Steve Bellovin (Aug 19)
- Re: password aging R. DuFresne (Aug 23)
- Re:password aging Harvey Nusz (Aug 19)
- Re: password aging HASSAN . KARIM (Aug 19)
- Re: password aging H. Morrow Long (Aug 23)
- Re: password aging Adam Shostack (Aug 24)
- Re: password aging Paul M. Cardon (Aug 26)
- Re: password aging Stephen P. Gibbons (Aug 27)
- Re: password aging Massimo Brogioni (Aug 27)
- Re: password aging John McDermott (Aug 24)
- Re: password aging Paul McNabb (Aug 28)
- Re: password aging Stephen P. Gibbons (Aug 28)
- Re: password aging Paul McNabb (Aug 28)
- Re: password aging Stephen P. Gibbons (Aug 30)
- RE: password aging KirkAdams (Aug 30)