Chris Zakelj <[EMAIL PROTECTED]> writes:
> Date: Mon, 03 Jul 2006 21:09:32 -0400
> From: Chris Zakelj <[EMAIL PROTECTED]>
> To: "STeve Andre'" <[EMAIL PROTECTED]>
> CC: misc@openbsd.org
> Subject: Re: Preventing password reuse
>
> STeve Andre' wrote:
> > On Monday 03 July 2006 17:37, Jeff Simmons wrote:
> >
> >> A client is setting up a password policy, and would like to prevent users
> >> from reusing a password for a period of time (four changes ninety days
> >> apart). Is there a way to do this, either within the OS or via a program in
> >> ports? I've been looking for quite a while and haven't found anything.
> >>
> > I can't resist pointing out that this is an AWFUL policy. You will be
> > remembering peoples passwords, a history of them, which are
> > very likely to be used on other systems. Thats really bad. I wonder
> > (at least in the USA) what would happen to your company if that
> > data was ever stolen?
> >
>
> The same thing that happens whenever any other data (like, say, SSNs)
> gets stolen. Absolutely nothing.
>
>
Check out any good newspaper morgue before you believe that. There are
too many counter-examples to your claim. The person who made this
initial request claims to be working for medical doctors & credit card
processors. There are specific horrible examples of the possible
consequences of either. Of course, most of these are consequences to
the person stealing the data, or the person whose data was lost -- but
if too many data professionals start asserting it's not their
responsibility at all, our politicians who art in <whatever> will
certainly create laws that say otherwise. HIPA for instance.
Or think of the poor guy who lost a laptop at the VA recently.
In any case, you don't need to store passwords. You can store a
history of one-way hashes instead, get (nearly) the same benefit, and
without nearly the security exposure.
I think the more interesting security argument is that if you make
people change passwords too often, they're much more likely to adopt
other less secure policies in compensation, ones you can't control
nearly so easily. For instance, they're much more likely to write them
down. Or they may force you to adopt a less strigent password reset
policy. Or they may just invent an obvious way to permute their password.
-Marcus Watts
