Path: utzoo!utgpu!water!watmath!clyde!bellcore!decvax!ucbvax!pasteur!ames!umd5!trantor.umd.edu!chris
From: chris@trantor.umd.edu (Chris Torek)
Newsgroups: comp.unix.wizards
Subject: Re: reusing passwords
Message-ID: <2304@umd5.umd.edu>
Date: 16 Feb 88 11:05:49 GMT
References: <10578@brl-adm.ARPA> <721X@jimi.cs.unlv.edu> <465@xios.XIOS.UUCP> <468@minya.UUCP>
Sender: ris@umd5.umd.edu
Reply-To: chris@trantor.umd.edu (Chris Torek)
Organization: University of Maryland, College Park
Lines: 15

In article <468@minya.UUCP> jc@minya.UUCP (John Chambers) writes:
>If VMS can actually determine that you have used the same password, then it
>is either keeping your unencrypted password somewhere, or it encrypts it the
>same each time.  Either is a major security hole....

Neither is necessary.  Using the `salted DES' approach, you could
just store the old encrypted passwords somewhere, and compare
against each one in the same way you compare against the current
one at login.  Knowing VMS as superficially as I do :-) , however,
I would stay suspicious until someone outside of DEC marketing
claims it is secure :-) .
-- 
In-Real-Life: Chris Torek, Univ of MD Computer Science, +1 301 454 7163
(hiding out on trantor.umd.edu until mimsy is reassembled in its new home)
Domain: chris@mimsy.umd.edu		Path: not easily reachable