On Monday 03 July 2006 17:37, Jeff Simmons wrote:
A client is setting up a password policy, and would like to
prevent users
from reusing a password for a period of time (four changes ninety
days
apart). Is there a way to do this, either within the OS or via a
program in
ports? I've been looking for quite a while and haven't found
anything.
I can't resist pointing out that this is an AWFUL policy. You will be
remembering peoples passwords, a history of them, which are
very likely to be used on other systems. Thats really bad. I wonder
(at least in the USA) what would happen to your company if that
data was ever stolen?
The prevention of password reuse does not involve the storage of any
passwords. You would properly store the hash. If you used MD5 there
is an issue about collisions, but SHA1 would not have this problem.
So the methodology would depend on the login. It is not normal for an
OS to store the password, although application developers do do this.
This is the same problem that you have in biometrics. Lots of people
think you store the fingerprint, when really you only store data
related to the fingerprint -- i.e. you cannot replay it to create a
complete print.
CU
