Firewall Wizards mailing list archives

Re: password aging

From: Paul McNabb <mcnabb () argus-systems com>
Date: Fri, 28 Aug 1998 09:06:51 -0500 (CDT)

 From: "Stephen P. Gibbons" <steve () aztech net>
 
 Storing the hashes system-wide so that user2 wouldn't be
 allowed to use a password that had been previously used
 by user1 or user3 is another option.  Use a strong hash, and
 chmod 0600 the history file if you do this.  Yeah, an HMAC
 would work better, but then you can't easily combine histories
 and have to protect the key used.


Having a "system wide" password history is an EXTREMELY bad thing
to do!  It is much worse than doing nothing at all!  The reason
for a password history mechanism in the first place is because you
want to break up (as much as possible) the password selection
mechanism so that passwords are more random (and harder to guess)
for a user.

If your users are not telling each other their passwords, then any
passwords reused by other people are purely random anyway.  And if
a user ever gets a "hit" on a password, then he/she knows something
about the password selection habits of someone on the system.  For
example, if a user can't choose the password "sleepy7" because someone
else has used it, it may be a reasonable guess that someone is using
a "Snow White" theme in choosing passwords.

System wide password history mechanisms remove randomness from the
password set being used, and they *secretly* pass information about
one user's passwords to another user.

It should be obvious that if the password history includes the current
passwords, then if I get a "hit" when trying to select a new password,
I am fairly sure that some account on the system has the password I
just tried!

The moral?  NEVER, NEVER, NEVER USE SYSTEM WIDE PASSWORD HISTORIES!!

paul

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------

Current thread:

Re: password aging, (continued)
- Re: password aging Steve Bellovin (Aug 19)
  - Re: password aging R. DuFresne (Aug 23)
- Re:password aging Harvey Nusz (Aug 19)
- Re: password aging HASSAN . KARIM (Aug 19)
- Re: password aging H. Morrow Long (Aug 23)
  - Re: password aging Adam Shostack (Aug 24)
  - Re: password aging Paul M. Cardon (Aug 26)
    - Re: password aging Stephen P. Gibbons (Aug 27)
    - Re: password aging Massimo Brogioni (Aug 27)
- Re: password aging John McDermott (Aug 24)
- Re: password aging Paul McNabb (Aug 28)
  - Re: password aging Stephen P. Gibbons (Aug 28)
- Re: password aging Paul McNabb (Aug 28)
  - Re: password aging Stephen P. Gibbons (Aug 30)
  - RE: password aging KirkAdams (Aug 30)