Firewall Wizards mailing list archives
Re: password aging
From: Adam Shostack <adam () weathership homeport org>
Date: Mon, 24 Aug 1998 10:27:00 -0400
Several people have suggested this, some in private mail. If you store old passwords in a different format than the OS, you may well be opening up a security vulnerability. Here, I can trial passwords as l0phtcrack does, because you're storing a hash, and forgot the salt. Its likely that even with a salt, you're still vulnerable to a faster attack than UNIX crypt. So, if you're implementing this stuff, be careful. | I'm presuming that you should store hashes of previous passwords, | and not store the actual passwords themselves. | | From: Adam Shostack <adam () weathership homeport org> | > Various people assert that its a good idea to maintain a | >history of user passwords so that they can't change their password to | >a previous password. However, I'm having trouble finding a reference | >to this in the literature that examines the issue of how many | >passwords to save and why. The lime green book (password management) | >says not to let the user use their previous password, but doesn't go | >into storing a history. | >
Current thread:
- password aging Adam Shostack (Aug 19)
- Re: password aging Rick Smith (Aug 23)
- <Possible follow-ups>
- Re: password aging Steve Bellovin (Aug 19)
- Re: password aging R. DuFresne (Aug 23)
- Re:password aging Harvey Nusz (Aug 19)
- Re: password aging HASSAN . KARIM (Aug 19)
- Re: password aging H. Morrow Long (Aug 23)
- Re: password aging Adam Shostack (Aug 24)
- Re: password aging Paul M. Cardon (Aug 26)
- Re: password aging Stephen P. Gibbons (Aug 27)
- Re: password aging Massimo Brogioni (Aug 27)
- Re: password aging John McDermott (Aug 24)
- Re: password aging Paul McNabb (Aug 28)
- Re: password aging Stephen P. Gibbons (Aug 28)
- Re: password aging Paul McNabb (Aug 28)
- Re: password aging Stephen P. Gibbons (Aug 30)
- RE: password aging KirkAdams (Aug 30)