[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] password history



On Monday 27 March 2006 18:19, discip@xxxxxxx wrote:
> I have a requirement to keep users from reusing old passwords,
> specifically, they must not choose a password that has been used within the
> past 10 passwords they have chosen.
> Is there an easy way to accomplish this?

I think this would actually impair security, depending on your setup. But 
storing a history of passwords is never a good idea, because you _know_ 
people will reuse passwords (or their trivial permutations, at least).

Though obviously a matter of debate, it is common for people to write their 
passwords down when these are difficult to remember. Definitely a phenomenon 
you want to try to avoid. Reusing old passwords does not necessarily lower 
your security. If I had to estimate whether it is more likely that 
unauthorized people have learned old passwords or authorized people writing 
down a password, because they find it difficult to remember, I would have 
little doubt that the latter is a much more severe security problem and at 
the same time more likely to occur. You will spot invalid login attempts, but 
you won't easily spot your employee having his password written down 
somewhere. All this, again, depending on your situation, but if you have 
security conscious people, you don't need to remind them of good security 
practices.

After you have given a thought (and talked about with people requiring this) 
about these issues, this is still your choice. I think such a mechanism 
should be fairly trivial to implement using PAM and probably has been, but 
unfortunately, I do not know about it.

Regards,

-- 
Jure Koren, n.i.

Attachment: pgpEF4Hd3v8zU.pgp
Description: PGP signature