Remembering old passwords (was

rjd at occrsh.ATT.COM rjd at occrsh.ATT.COM
Fri Feb 19 01:25:00 AEST 1988 

>> Actually at BRL, it remembers all past passwords that everyone used and
>> won't ever let you reuse them (or use the "passwd" program to set too
>> accounts to the same password).
>
>How is this implemented without saving passwords somewhere in the clear?
>Also -- if "passwd" unexpectedly refuses to let a user set a proposed password
>he has chosen, it would be a tipoff that he has stumbled over somebody else's
>current password.
>|------------Dan Levy------------|  Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa,

  Why does everyone assume that you HAVE to save it in the clear?  YOU DON'T!!
As I said before:

    "... Since the "seed" [should be "salt"] used for the permutation
algorithm is the first two characters of the encrypted password, all you
need to do is encrypt your new password using the seed of each of the old
ones, and then compare the encryption to the encrypted password whose seed
you are using."

As proof, I offer this:

The login() command uses the following lines to get the password:
----------------------------
password = getpass(prmt);
p1 = crypt(password, pswd);

if(strcmp(p1, pswd)) ....
----------------------------
where:
	password is the clear text password typed in by the potential user.
	prmt is the prompt.
	pswd is the encrypted password in the password file.
	p1 is the encryption of the password inputted by the potential user.

To quote from the manual:
----------------------------
crypt(3C) 
char *crypt(key, salt)
....is the password encryption function....
 Key is a user's typed password.  Salt is a two-character string chosen from the
set[a-zA-Z0-9./]; this string is used to perturb the hashing algorithm in one
of 4096 different ways; after which the password is used as the key to encrypt
repeatedly a constant string.  The returned value points to the encrypted
password. THE FIRST TWO CHARACTERS ARE THE SALT ITSELF.
----------------------------
Capitals mine....

  So, JUST SAVE THE encrypted passwords!!! Then, when a new one is entered,
encrypt it using each saved encrypted password's salt and compare it to the
password whose salt you are using!
  Yeah, sure, its going to take a while to do, but who said security was
convenient?  I don't know about saving ALL past passwords, though; maybe
just the last four or five....

Randy

More information about the Comp.unix.wizards mailing list