password quality script aka --with-cracklib replacement

Richard Sharpe rsharpe at richardsharpe.com
Thu Feb 13 22:41:33 GMT 2003


On Fri, 14 Feb 2003, Andrew Bartlett wrote:

> On Fri, 2003-02-14 at 02:09, David Collier-Brown -- Customer Engineering
> wrote:
> > Martin Pool wrote:
> > > The PAM module might store previous passwords in a database (e.g. tdb)
> > > that it maintains.  Every time a password is set, it gets put in
> > > there, with any other appropriate information (date?).  When a new
> > > password-setting attempt is made, it checks against the history, plus
> > > other strength checks.
> > 
> > 	Do we even need to save the decrypted password?
> > 	A colleague once saved old encrypted passwords
> > 	to allow the "do they really know the old one"
> > 	test to be done via challange-response.
> 
> Anybody doing this 'must change password every x days' thing has to
> store the decrypted password, or else your users change from password1
> to password2 to password3 then back to password1.

Hmmm, I am not sure of that. What is wrong with storing the history of 
password hashes back to some number. Sure, there can be collisions, but 
they should be infrequent, and it will prevent them from re-using the same 
passwd within the horizon of the hashes kept.

Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com



More information about the samba-technical mailing list