Need help with password aging
Wilson Heydt
whh at pbhya.PacBell.COM
Tue Mar 21 02:45:08 AEST 1989
In article <8656 at sneaky.TANDY.COM>, gordon at sneaky.TANDY.COM (Gordon Burditt) writes:
> If you want to fix that, keep records of a few old passwords *IN ENCRYPTED
> FORM*, and don't allow re-use. I don't agree with a previous poster who
> claims that this is a cure worse than the disease. Encrypted passwords
> that don't work anyway aren't that much of a risk, and there is no reason to
> make them widely readable. This will encourage the user to switch between
> several passwords, probably the same password with a variable field for the
> month that changes each time. This might be slightly more secure than
> switching between two passwords. A few security-conscious users, hopefully
> including the administrator, might actually think up good passwords.
The problem that this scheme presents is that: If the file of old passwords
is broken, then the *pattern* of password picks for a given account may be
discernable. While this is not useful for breaking the account of someone
who picks really *good* passwords--effectively random--this is not the general
case. If you doubt this, go read Kahn's "The Codebreakers" on the subject
of Soviet one-time pads.
=========================================================================
Hal Heydt | Money is the root of all
Analyst, Pacific*Bell | evil--and a man *needs*
415-645-7708 | roots.
whh at pbhya.PacBell.COM
More information about the Comp.unix.questions
mailing list