On Mon, 3 Jul 2006, Spruell, Darren-Perot wrote: > From: [EMAIL PROTECTED] > > A client is setting up a password policy, and would like to > > prevent users from > > reusing a password for a period of time (four changes ninety > > days apart). Is > > there a way to do this, either within the OS or via a program > > in ports? I've > > been looking for quite a while and haven't found anything. > > I haven't either, although I haven't looked really hard. I mention > http://www.mindrot.org/passwdqc.html not because I know it can do what > you're looking for but because it can offer a few steps up in password > quality which may also be in your policy.
passwdqc doesn't keep a reuse history, but this is one of the things that I'd like to implement. > (http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html) approaches > this by storing password hashes in a history file - meaning you > have to basically have the equivalent of your shadow file (with > historically valuable information) hanging around somewhere else. This is the reason why I haven't implemented it in passwdqc yet :) This naive solution isn't very secure... -d
