Well, just to play the devil's advocate here ...
One of the main functions of any password hygiene program 'should' be to
prevent users from changing 'mypassword1' to 'mypassword2' and then
'mypassword3', etc. (Yes, we can force complex passwords, but the idea is
the same.)
It's fairly simple to compare 'newpassword' to 'existingpassword' and prevent
this sort of behavior (I THINK that's what the -s option to passwdqc is for,
but the man page is kind of ambiguous and I haven't had time to dive into the
source yet - pam_passwdqc does it) but then the user can just do
'mypassword1', 'mydogsname1', 'mypassword2', mydogsname2', etc. and totally
invalidate your carefully designed security policy.
And hashes aren't gonna help.
Don't get me wrong, I'm not knocking the idea completely. My assignment here
is that I've been told that in order to get my client certified I have to
avoid reuse of a password over a cycle of 4 90 day forced changes. My JOB is
to assure that doing this doesn't open my client up to a whole new string of
vulnerabilities. Mr. Rock, meet Mr. Hard Place.
"In conclusion the main thing we did wrong ... was to worry about criminals
being clever; we should rather have worried about our customers ... being
stupid." Ross Anderson, "Security Engineering"
On Monday 03 July 2006 20:25, L. V. Lammert wrote:
> On Mon, 3 Jul 2006, STeve Andre' wrote:
> > On Monday 03 July 2006 17:37, Jeff Simmons wrote:
> >
> > I can't resist pointing out that this is an AWFUL policy. You will be
> > remembering peoples passwords, a history of them, which are
> > very likely to be used on other systems. Thats really bad. I wonder
> > (at least in the USA) what would happen to your company if that
> > data was ever stolen?
> >
> > --STeve Andre'
>
> Ahhh, .. that's what hash's are for; easily recreatable given duplicate
> input strings, but creating the input string FROM the hash is just about
> impossible [lacking near infinate resources].
>
> Storing hashes in a DB is just fine - that's how passwords are encrypted
> in any case. Comparing the current to any others in the past 90 days
> would work swinningly for a secure audit train.
>
> Lee
--
Jeff Simmons [EMAIL PROTECTED]
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
--My Life With The Thrill Kill Kult
