Path: utzoo!mnetor!uunet!husc6!mailrus!umix!umich!mibte!gamma!sabre!faline!scherzo!allegra!alice!ark
From: ark@alice.UUCP
Newsgroups: comp.unix.wizards
Subject: Re: Remembering old passwords (was 60-second timeout in Unix login)
Message-ID: <7706@alice.UUCP>
Date: 18 Feb 88 14:00:15 GMT
References: <10578@brl-adm.ARPA> <721X@jimi.cs.unlv.edu> <465@xios.XIOS.UUCP> <2178@ttrdc.UUCP>
Organization: AT&T Bell Laboratories, Liberty Corner NJ
Lines: 24

In article <2178@ttrdc.UUCP>, levy@ttrdc.UUCP writes:
> In article <18083@topaz.rutgers.edu>, ron@topaz.rutgers.edu (Ron Natalie) writes:
> > Actually at BRL, it remembers all past passwords that everyone used and
> > won't ever let you reuse them (or use the "passwd" program to set too
> > accounts to the same password).
> 
> How is this implemented without saving passwords somewhere in the clear?
> Also -- if "passwd" unexpectedly refuses to let a user set a proposed password
> he has chosen, it would be a tipoff that he has stumbled over somebody else's
> current password.

Easy solutions to both problems:

	1.  Run the passwords through the sort of irreversible
	    hash function used with /etc/passwd before storing
	    them.  When a user selects a new password, hash it
	    and look up the hashed password in the database.
	
	2.  Seed the database with every easy password you can think
	    of, such as everything in an unabridged dictionary,
	    a bunch of people's names, etc.  If the database
	    starts with half a million entries, you haven't learned
	    much when the system tells you you've picked a bad
	    password.