From owner-freebsd-hackers Wed Jan 19 14:38:19 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from mail.medsp.com (medsp.com [209.203.250.120]) by hub.freebsd.org (Postfix) with ESMTP id 225C214CCF for ; Wed, 19 Jan 2000 14:38:12 -0800 (PST) (envelope-from scott@mail.medsp.com) Received: (from scott@localhost) by mail.medsp.com (8.9.3/8.9.3) id OAA86571 for hackers@freebsd.org; Wed, 19 Jan 2000 14:42:54 -0800 (PST) (envelope-from scott) Date: Wed, 19 Jan 2000 14:42:54 -0800 From: Scott Gasch To: hackers@freebsd.org Subject: reuse of old passwords Message-ID: <20000119144254.A86549@www.medsp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, The current behavior for forcing a user to change his password on FreeBSD seems to allow the reuse of the same password. In a sense, this behavior defeats the purpose of forcing password changes. With this thought in mind I wrote a simple patch to passwd that will not allow the user to select the same password again... indeed it will not allow him to reuse any of his last N passwords (N is configurable). After I wrote this I began to think about why it might be a bad thing. Someone mentioned that security policies where a user is, for example, forced to change your password every 90 days and may not reuse any of his prior 10 passwords are _less_ secure as they encourage users to write down their passwords. Another possible drawback is that the plaintext newly selected password is in memory longer and is, indeed, passed from getnewpasswd (in local_passwd.c) to another routine for historical validation. To me this is a minor issue but it may not be so for others. So my questions are: what is the thinking behind allowing a user to reuse the same password again? If this is the policy, what is the sense of forcing a password change? What are your concerns with a policy that would not allow old password reuse? Thanks, Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message