Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!usc!wuarchive!texbell!bigtex!natinst!rpp386!jfh
From: jfh@rpp386.cactus.org (John F. Haugh II)
Newsgroups: comp.unix.wizards
Subject: Re: What should the password/security/userinfo/login system include?
Message-ID: <17458@rpp386.cactus.org>
Date: 17 Dec 89 06:46:59 GMT
References: <4180@sbcs.sunysb.edu> <1989Dec7.172233.10130@chinet.chi.il.us> <7284@ficc.uu.net> <1989Dec16.054850.5881@chinet.chi.il.us>
Reply-To: jfh@rpp386.cactus.org (John F. Haugh II)
Distribution: usa
Organization: Lone Star Cafe and BBS Service
Lines: 18

In article <1989Dec16.054850.5881@chinet.chi.il.us> les@chinet.chi.il.us (Leslie Mikesell) writes:
>In article <6602@jpl-devvax.JPL.NASA.GOV> lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) writes:
>
>>We disallow both of these.  The new password must be sufficiently different
>>from the old one.  You can't EVER reuse a password on our system, period.
>
>Does this mean that you keep a file containing the old passwords around
>(like everyone has been saying is a security risk)?

No, you only need to keep the already-encrypted passwords laying around.
You then take the trial password and encrypt it using the salt for the
old password and compare the result of the encryption.  If they match,
reject the new password.
-- 
John F. Haugh II                        +-Things you didn't want to know:------
VoiceNet: (512) 832-8832   Data: -8835  | In Ham lingo DEC is rot-13 for "Low
InterNet: jfh@rpp386.cactus.org         | Power".  "CPU?"  "QRP Vax-11."
UUCPNet:  {texbell|bigtex}!rpp386!jfh   +--------------------------------------