Remembering old passwords (was 60-second timeout in Unix login)

Michael A. Petonic mikep at ism780c.UUCP
Fri Feb 19 04:56:36 AEST 1988


In article <2178 at ttrdc.UUCP> levy at ttrdc.UUCP (Daniel R. Levy) writes:
>In article <18083 at topaz.rutgers.edu>, ron at topaz.rutgers.edu (Ron Natalie) writes:
>> Actually at BRL, it remembers all past passwords that everyone used and
>> won't ever let you reuse them (or use the "passwd" program to set too
>> accounts to the same password).
>
>How is this implemented without saving passwords somewhere in the clear?
>Also -- if "passwd" unexpectedly refuses to let a user set a proposed password
>he has chosen, it would be a tipoff that he has stumbled over somebody else's
>current password.

For the first part, an easy method would be:

	for each item in old password list (in encrypted form)
		get salt from old password
		encrypt new proposed password with salt from old password
		if they are the same, notify user that he can't use it.

I don't think BRL's method would tip off whether the password is a
current password of some other user's.  It would, however, tell you 
what has been used before, since it stores all used passwords from everybody
since the dawn of time.

-MikeP



More information about the Comp.unix.wizards mailing list