Remembering old passwords (was 60-second timeout in Unix login)
ark at alice.UUCP
ark at alice.UUCP
Fri Feb 19 00:00:15 AEST 1988
In article <2178 at ttrdc.UUCP>, levy at ttrdc.UUCP writes:
> In article <18083 at topaz.rutgers.edu>, ron at topaz.rutgers.edu (Ron Natalie) writes:
> > Actually at BRL, it remembers all past passwords that everyone used and
> > won't ever let you reuse them (or use the "passwd" program to set too
> > accounts to the same password).
>
> How is this implemented without saving passwords somewhere in the clear?
> Also -- if "passwd" unexpectedly refuses to let a user set a proposed password
> he has chosen, it would be a tipoff that he has stumbled over somebody else's
> current password.
Easy solutions to both problems:
1. Run the passwords through the sort of irreversible
hash function used with /etc/passwd before storing
them. When a user selects a new password, hash it
and look up the hashed password in the database.
2. Seed the database with every easy password you can think
of, such as everything in an unabridged dictionary,
a bunch of people's names, etc. If the database
starts with half a million entries, you haven't learned
much when the system tells you you've picked a bad
password.
More information about the Comp.unix.wizards
mailing list