Found, a new rootkit

[Tim]

Tim:
>> If you're storing *old* passwords that you don't want people to use
>> again, would it matter if they're stored as plain text?  I would imagine
>> that you could just add them to a banned passwords list.

Les Mikesell:
> They may still be used elsewhere, and if you see a sequence of
> passwords an individual has used you may notice a pattern that
> will help you guess the current one.

Good point.  Though you'd have to know which user had used which
passwords, and you'd be guessing at where they might use them.  On that
note, different services having different requirements on what you can
use as a password could actually be beneficial - making it less likely
that a user will use the same password elsewhere.

> But the real issue is that the usual way that you would have such at
> list is that you saved it from the time each password was created -
> meaning you had the plain text while they were active too.

Perhaps not necessarily.  At the time a password change gets enforced,
you could add it to the banned list.  Of course that doesn't stop some
twit from changing from "secret1" to "secret2", unless your banning list
works for partial matches.

-- 
(Currently running FC4, occasionally trying FC5.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.