Hi, Ron: On Tuesday 02 November 2010 00:29:03 Ron Johnson wrote: > On 11/01/2010 04:45 PM, Jesús M. Navarro wrote: > > Hi, Ron: > > > > On Monday 01 November 2010 18:49:01 Ron Johnson wrote: > > [...] > > > >> If someone learns my password on day 2, they have full access to my > >> account for 74 days, or I must beg for SysAdmin help? > >> > >> "Minimum number of days" isn't a very bright idea. > > > > It is, for a low minimum number. > > > > The rationale is to avoid the user reusing passwords: Ok, so my password > > is 12345678 and I must change it now? Let's do it: 87654321; but > > immediately I change back again. > > The way to do it is to have a record in your password db of the > hashes of each user's last N passwords. > > > So if the minimum change time is about a week, it takes about the same > > effort to learn the new password than to change it back. > > You're Doing It Wrong if you use "minimum days" to avoid password reuse.
I didn't imply minimum password age was either the only or the best way to avoid password reuse, only that it can apropriately used for that. On Linux, in order for you to retain last n passwords you will need at least another "device" (file, database field...) to store them you'll have to take care of (at least under the assumption that old passwords will show a trend that could be exploited after brute-force attack). Cheers. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201011020344.00034.jesus.nava...@undominio.net
