Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!decwrl!hplabs!sdcrdcf!ism780c!mikep
From: mikep@ism780c.UUCP (Michael A. Petonic)
Newsgroups: comp.unix.wizards
Subject: Re: Remembering old passwords (was 60-second timeout in Unix login)
Message-ID: <9091@ism780c.UUCP>
Date: 18 Feb 88 18:56:36 GMT
References: <10578@brl-adm.ARPA> <721X@jimi.cs.unlv.edu> <465@xios.XIOS.UUCP> <18083@topaz.rutgers.edu> <2178@ttrdc.UUCP>
Reply-To: mikep@ism780c.UUCP (Michael A. Petonic)
Organization: Interactive Systems Corp., Santa Monica CA
Lines: 24

In article <2178@ttrdc.UUCP> levy@ttrdc.UUCP (Daniel R. Levy) writes:
>In article <18083@topaz.rutgers.edu>, ron@topaz.rutgers.edu (Ron Natalie) writes:
>> Actually at BRL, it remembers all past passwords that everyone used and
>> won't ever let you reuse them (or use the "passwd" program to set too
>> accounts to the same password).
>
>How is this implemented without saving passwords somewhere in the clear?
>Also -- if "passwd" unexpectedly refuses to let a user set a proposed password
>he has chosen, it would be a tipoff that he has stumbled over somebody else's
>current password.

For the first part, an easy method would be:

	for each item in old password list (in encrypted form)
		get salt from old password
		encrypt new proposed password with salt from old password
		if they are the same, notify user that he can't use it.

I don't think BRL's method would tip off whether the password is a
current password of some other user's.  It would, however, tell you 
what has been used before, since it stores all used passwords from everybody
since the dawn of time.

-MikeP