Path: utzoo!utgpu!water!watmath!codas!mikel
From: mikel@codas.att.com (Mikel Manitius)
Newsgroups: comp.unix.wizards
Subject: Re: 60-second timeout in Unix login
Message-ID: <2482@codas.att.com>
Date: 16 Feb 88 21:08:51 GMT
References: <468@minya.UUCP>
Organization: AT&T, Altamonte Springs, FL
Lines: 21

In article <468@minya.UUCP>, jc@minya.UUCP (John Chambers) writes:
> 
> If VMS can actually determine that you have used the same password, then it
> is either keeping your unencrypted password somewhere, or it encrypts it the
> same each time.  Either is a major security hole, of course, and you should
> refuse to use the system (on security grounds) until they correct the problem.

Not nessecerily. The system could keep an encrypted list of all passwords
used durring the past N days (weeks, months), indexed per user. Any time you
try to change your password, it encrypts it once for every remembered password,
using that salt, if the two encrypted passwords match (note: same salt), then
there is a reuse, and the password is not accepted.

If the password is accepted, then it is re-encrypted with a random salt
(ie: UNIX "makekey") and then stored.

This would be just as "secure" as the UNIX password file, only adding the
burden of maintaining such as list.
-- 
					Mikel Manitius
					mikel@codas.att.com