password quality script aka --with-cracklib replacement

[Martin Pool]

On 14 Feb 2003, Andrew Bartlett <abartlet at samba.org> wrote:

> > 	Do we even need to save the decrypted password?
> > 	A colleague once saved old encrypted passwords
> > 	to allow the "do they really know the old one"
> > 	test to be done via challange-response.

Different scripts might want to store various things derived from the
old password.

If you want to prevent reuse of old passwords, then you should store
the result of some kind of trapdoor function applied to the function.
Hashing the password is desirable because it helps avoid compromise of
old passwords if an attacker accesses the database.

However, some people want to check that the new password is not
"similar to" a previous password, using some kind of soundex or
edit-distance algorithm.  I'm pretty sure NT domain controllers can do
this, or be programmed to do so.  This requires storing the
unencrypted old passwords so that you can do such comparisons.  

(Or I suppose you could be really smart and invent a hashed format
such that similar passwords produce similar hashes, without allowing
the password to be retrieved from the hash.)

But in general I think you want to allow the script the chance of
having the unencrypted, unhashed, password.  If it wants to discard
information then it can.

-- 
Martin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030214/5724253f/attachment.bin