Path: utzoo!attcan!uunet!lll-winken!ames!amdahl!pacbell!pbhya!whh
From: whh@pbhya.PacBell.COM (Wilson Heydt)
Newsgroups: comp.unix.questions
Subject: Re: Need help with password aging
Message-ID: <24831@pbhya.PacBell.COM>
Date: 20 Mar 89 16:45:08 GMT
References: <179@camdev.UUCP> <9059@alice.UUCP> <1071@vsi.COM> <8656@sneaky.TANDY.COM>
Distribution: na
Organization: Pacific * Bell, Oakland, CA
Lines: 23

In article <8656@sneaky.TANDY.COM>, gordon@sneaky.TANDY.COM (Gordon Burditt) writes:
> If you want to fix that, keep records of a few old passwords *IN ENCRYPTED
> FORM*, and don't allow re-use.  I don't agree with a previous poster who 
> claims that this is a cure worse than the disease.  Encrypted passwords
> that don't work anyway aren't that much of a risk, and there is no reason to
> make them widely readable.  This will encourage the user to switch between 
> several passwords, probably the same password with a variable field for the 
> month that changes each time.  This might be slightly more secure than 
> switching between two passwords.  A few security-conscious users, hopefully 
> including the administrator, might actually think up good passwords.

The problem that this scheme presents is that: If the file of old passwords
is broken, then the *pattern* of password picks for a given account may be
discernable.  While this is not useful for breaking the account of someone
who picks really *good* passwords--effectively random--this is not the general
case.  If you doubt this, go read Kahn's "The Codebreakers" on the subject
of Soviet one-time pads.

=========================================================================
  Hal Heydt                             |    Money is the root of all
  Analyst, Pacific*Bell                 |    evil--and a man *needs*    
  415-645-7708                          |    roots.
  whh@pbhya.PacBell.COM