[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM concepts (was: pam_{unix,pwdb}: crypt/md5 necessary?)

> Steve:
> > You could have pam_{pwdb,unix} ask for the new password and "storing"
> > modules stacked after it to store the password.
> Clean concepts? :)
> Steve:
> > > Again, "password asking".  One good thing that can do pam_unix is to
> > > enshure that new password is not the same as one of previous ones
> > > (remember=XXX).  Really good thing.  But -- where those old passwords
> > 
> > This is really a questionable feature.  It can both improve and hurt
> > security.  I haven't implemented it in my pam_passwdqc, yet (am only
> > checking against the current password, which is always known).

[ Both quotes above are actually taken from my reply. ]

> I think it should be available.  When password aging used, it will stop
> changing password twice -- first to "fake" one and second to old one.

Yes, that's the main purpose of storing old passwords.

> (I know about minchange also).  From your statement, password aging is also
> questionable.


> I see no hurting here, since old password should be stored in encrypted form,
> with the same attention as "current" ones.

In hashed form, yes.  However, some of the old passwords for some of
the users will likely be weaker than current ones, so they would get
cracked earlier.  The knowledge of old passwords for a user can help
crack their current password on this and especially other systems.

Solar Designer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []