60-second timeout in Unix login

Mikel Manitius mikel at codas.att.com
Wed Feb 17 07:05:00 AEST 1988


In article <468 at minya.UUCP>, jc at minya.UUCP (John Chambers) writes:
> 
> If VMS can actually determine that you have used the same password, then it
> is either keeping your unencrypted password somewhere, or it encrypts it the
> same each time.  Either is a major security hole, of course, and you should
> refuse to use the system (on security grounds) until they correct the problem.

Not nessecerily. The system could keep an encrypted list of all passwords
used durring the past N days (weeks, months), indexed per user. Any time you
try to change your password, it encrypts it once for every remembered password,
using that salt, if the two encrypted passwords match (note: same salt), then
there is a reuse, and the password is not accepted.

This would be just as "secure" as the UNIX password file, only adding the
burden of maintaining such as list.
-- 
					Mikel Manitius
					mikel at codas.att.com



More information about the Comp.unix.wizards mailing list