Remembering old passwords (was 60-second timeout in Unix login)

ark at alice.UUCP ark at alice.UUCP
Fri Feb 19 00:00:15 AEST 1988


In article <2178 at ttrdc.UUCP>, levy at ttrdc.UUCP writes:
> In article <18083 at topaz.rutgers.edu>, ron at topaz.rutgers.edu (Ron Natalie) writes:
> > Actually at BRL, it remembers all past passwords that everyone used and
> > won't ever let you reuse them (or use the "passwd" program to set too
> > accounts to the same password).
> 
> How is this implemented without saving passwords somewhere in the clear?
> Also -- if "passwd" unexpectedly refuses to let a user set a proposed password
> he has chosen, it would be a tipoff that he has stumbled over somebody else's
> current password.

Easy solutions to both problems:

	1.  Run the passwords through the sort of irreversible
	    hash function used with /etc/passwd before storing
	    them.  When a user selects a new password, hash it
	    and look up the hashed password in the database.
	
	2.  Seed the database with every easy password you can think
	    of, such as everything in an unabridged dictionary,
	    a bunch of people's names, etc.  If the database
	    starts with half a million entries, you haven't learned
	    much when the system tells you you've picked a bad
	    password.



More information about the Comp.unix.wizards mailing list