Re: password aging

["Stephen P. Gibbons" <steve () aztech net>]

System-wide password histories shouldn't be used unless
you are also doing dictionary/pattern checks.  Given those
constraints, and the soundex + hashing that I mentioned in
my previous message, it will be difficult for an end-user to
determine exactly why their new password choice was
rejected by the system. Your example of "sleepy7" could
have been rejected at any stage of the "sanity checks".
The specific reason for rejecting the new password should
not be reported to the user, they only need to be told that
the new password is probably weak.

Think of the global history as an adjunct to a dictionary check.
The dictionary, in this case just happens to match your user-
base's actual use very closeley, and it changes over time.

--
Steve


Paul McNabb wrote:

> >  From: "Stephen P. Gibbons" <steve () aztech net>
> >
> >  Storing the hashes system-wide so that user2 wouldn't be
> >  allowed to use a password that had been previously used
> >  by user1 or user3 is another option.  Use a strong hash, and
> >  chmod 0600 the history file if you do this.  Yeah, an HMAC
> >  would work better, but then you can't easily combine histories
> >  and have to protect the key used.
>
> Having a "system wide" password history is an EXTREMELY bad thing
> to do!  It is much worse than doing nothing at all!  The reason
> for a password history mechanism in the first place is because you
> want to break up (as much as possible) the password selection
> mechanism so that passwords are more random (and harder to guess)
> for a user.
>
> If your users are not telling each other their passwords, then any
> passwords reused by other people are purely random anyway.  And if
> a user ever gets a "hit" on a password, then he/she knows something
> about the password selection habits of someone on the system.  For
> example, if a user can't choose the password "sleepy7" because someone
> else has used it, it may be a reasonable guess that someone is using
> a "Snow White" theme in choosing passwords.
>
> System wide password history mechanisms remove randomness from the
> password set being used, and they *secretly* pass information about
> one user's passwords to another user.
>
> It should be obvious that if the password history includes the current
> passwords, then if I get a "hit" when trying to select a new password,
> I am fairly sure that some account on the system has the password I
> just tried!
>
> The moral?  NEVER, NEVER, NEVER USE SYSTEM WIDE PASSWORD HISTORIES!!
>
> paul
>
> ---------------------------------------------------------
> Paul McNabb                     Argus Systems Group, Inc.
> Vice President and CTO          1809 Woodfield Drive
> mcnabb () argus-systems com        Savoy, IL 61874 USA
> TEL 217-355-6308
> FAX 217-355-1433                "Securing the Future"
> ---------------------------------------------------------