reusing passwords

Chris Torek chris at trantor.umd.edu
Tue Feb 16 21:05:49 AEST 1988


In article <468 at minya.UUCP> jc at minya.UUCP (John Chambers) writes:
>If VMS can actually determine that you have used the same password, then it
>is either keeping your unencrypted password somewhere, or it encrypts it the
>same each time.  Either is a major security hole....

Neither is necessary.  Using the `salted DES' approach, you could
just store the old encrypted passwords somewhere, and compare
against each one in the same way you compare against the current
one at login.  Knowing VMS as superficially as I do :-) , however,
I would stay suspicious until someone outside of DEC marketing
claims it is secure :-) .
-- 
In-Real-Life: Chris Torek, Univ of MD Computer Science, +1 301 454 7163
(hiding out on trantor.umd.edu until mimsy is reassembled in its new home)
Domain: chris at mimsy.umd.edu		Path: not easily reachable



More information about the Comp.unix.wizards mailing list