Firewall Wizards mailing list archives

Re: password aging

From: "R. DuFresne" <dufresne () darkstar sysinfo com>
Date: Thu, 20 Aug 1998 10:34:47 -0500 (CDT)

Folks,

Interestin coincidence, this is just the topic I'm researching now for our
company, implementing forced password changes and archiving old passwd's
such that they can't be reusued for sometime.  Of course, this is on a
cray t3e running unicos/mk 10.x.  I've found all I need so far,
except the maintained DB of old passwd's, and I'll prolly find more 
info on that within the unicos/mk OS here shortly.  Someone posted a
reply, which I seem to have deleted  with links to the orangebook and a
few other related links, does anyone have a copy of that post they can
forward back to me here please?

Thanks,

Ron DuFresne

On Wed, 19 Aug 1998, Steve Bellovin wrote:

In message <19980818175723.A4608 () weathership homeport org>, Adam Shostack write
s:

    Various people assert that its a good idea to maintain a
history of user passwords so that they can't change their password to
a previous password.  However, I'm having trouble finding a reference
to this in the literature that examines the issue of how many
passwords to save and why.  The lime green book (password management)
says not to let the user use their previous password, but doesn't go
into storing a history.

    Does anyone know of a paper on, or that discusses, this topic, 
and how or why to pick various values of N?


There are several rationales; most boil down to combatting user
unwillingness to change their passwords.  If forced to, they'll
change it, then change it right back to the old one, and (often)
iterate as needed.

Another rationale is that if it takes a long time to crack a given
password, but that pasword will be reused -- as is not unlikely --
one can try the old-but-recovered one every month or so, to see if it
now works.

I seem to recall some discussion of this topic in:

@article{opus,
        author = {Eugene H. Spafford},
        title = {{OPUS}: Preventing Weak Password Choices},
        journal = {Computers \& Security},
        volume = 11,
        number = 3,
        year = 1992,
        pages = {273--278},
        annote = "Discusses how to use Bloom filters to check passwords against dictionaries
                without consuming large amounts of space.",
   url = {ftp://coast.cs.purdue.edu/pub/Purdue/papers/spafford/spaf-OPUS.ps}
}


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Current thread:

password aging Adam Shostack (Aug 19)
- Re: password aging Rick Smith (Aug 23)
- <Possible follow-ups>
- Re: password aging Steve Bellovin (Aug 19)
  - Re: password aging R. DuFresne (Aug 23)
- Re:password aging Harvey Nusz (Aug 19)
- Re: password aging HASSAN . KARIM (Aug 19)
- Re: password aging H. Morrow Long (Aug 23)
  - Re: password aging Adam Shostack (Aug 24)
  - Re: password aging Paul M. Cardon (Aug 26)
    - Re: password aging Stephen P. Gibbons (Aug 27)
    - Re: password aging Massimo Brogioni (Aug 27)
- Re: password aging John McDermott (Aug 24)
- Re: password aging Paul McNabb (Aug 28)
  - Re: password aging Stephen P. Gibbons (Aug 28)

(Thread continues...)