Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!decwrl!decvax!virgin!lemuria!dpw
From: dpw@lemuria.usi.com (Darryl P. Wagoner)
Newsgroups: comp.unix.questions
Subject: Re: Need help with password aging
Message-ID: <1215@lemuria.usi.com>
Date: 22 Mar 89 02:54:42 GMT
References: <179@camdev.UUCP> <9059@alice.UUCP> <1071@vsi.COM> <8656@sneaky.TANDY.COM>
Reply-To: dpw@lemuria.UUCP (Darryl P. Wagoner)
Distribution: na
Organization: Digital (Secure Workstation Project) Boxboro, Ma
Lines: 24

This is really something that should be done in login(1) and passwd(1)
commands.  If you don't have a shadow password file then use a
password aging file.  I don't like time warnings as much as I do
notices. ie: you have X logins to change your passwd otherwise login
will forces you to change.  

There is also other games you can play like expire the password if
more than X attempts have been made on that account.  Or a password
aging based upon the number of valid logins.  You get the idea.

The other thing that passwd(1) do is to check the passwd against a bad
passwd file and gcos data then reject the passwd if it matches over
X percent.

As far as keeping a history of old passwords, that one is a hard call.
I don't think that you would gain enough to make it worth while.



-- 
Darryl Wagoner		(home) dpw@lemuria.uucp or wagoner@imokay.dec.com
Digital Equipment Corp; 	OS/2, Just say No!
Boxboro, Ma  			(w) 508-264-5586
UUCP:  virgin!lemuria!dpw