password quality script aka --with-cracklib replacement
John E. Malmberg
wb8tyw at qsl.net
Fri Feb 14 01:12:52 GMT 2003
Richard Sharpe wrote:
> On Fri, 14 Feb 2003, Andrew Bartlett wrote:
>>Anybody doing this 'must change password every x days' thing has to
>>store the decrypted password, or else your users change from password1
>>to password2 to password3 then back to password1.
> Hmmm, I am not sure of that. What is wrong with storing the history of
> password hashes back to some number. Sure, there can be collisions, but
> they should be infrequent, and it will prevent them from re-using the same
> passwd within the horizon of the hashes kept.
OpenVMS stores the password hashes back a configurable amount of time,
the default is one year per user.
The storage time needs to be timed based, not number of changes.
OpenVMS does not have the security hole where a user is forbidden to
change a password for a period of time from the last change, so that a
user must notify the system administrator when they think a recently
changed password was compromised.
Frequent password changes also lead to passwords that are more easily
cracked by social engineering methods. Usually if you have learned a
past password, a human can figure out all future passwords.
wb8tyw at qsl.network
Personal Opinion Only
More information about the samba-technical