password quality script aka --with-cracklib replacement

John E. Malmberg wb8tyw at
Fri Feb 14 01:12:52 GMT 2003

Richard Sharpe wrote:
> On Fri, 14 Feb 2003, Andrew Bartlett wrote:
>>Anybody doing this 'must change password every x days' thing has to
>>store the decrypted password, or else your users change from password1
>>to password2 to password3 then back to password1.
> Hmmm, I am not sure of that. What is wrong with storing the history of 
> password hashes back to some number. Sure, there can be collisions, but 
> they should be infrequent, and it will prevent them from re-using the same 
> passwd within the horizon of the hashes kept.

OpenVMS stores the password hashes back a configurable amount of time, 
the default is one year per user.

The storage time needs to be timed based, not number of changes.

OpenVMS does not have the security hole where a user is forbidden to 
change a password for a period of time from the last change, so that a 
user must notify the system administrator when they think a recently 
changed password was compromised.

Frequent password changes also lead to passwords that are more easily 
cracked by social engineering methods.  Usually if you have learned a 
past password, a human can figure out all future passwords.

wb8tyw at
Personal Opinion Only

More information about the samba-technical mailing list