Date: Wed, 19 Jan 2000 14:42:54 -0800 From: Scott Gasch <scott@mail.medsp.com> To: hackers@freebsd.org Subject: reuse of old passwords Message-ID: <20000119144254.A86549@www.medsp.com>
next in thread | raw e-mail | index | archive | help
Hello, The current behavior for forcing a user to change his password on FreeBSD seems to allow the reuse of the same password. In a sense, this behavior defeats the purpose of forcing password changes. With this thought in mind I wrote a simple patch to passwd that will not allow the user to select the same password again... indeed it will not allow him to reuse any of his last N passwords (N is configurable). After I wrote this I began to think about why it might be a bad thing. Someone mentioned that security policies where a user is, for example, forced to change your password every 90 days and may not reuse any of his prior 10 passwords are _less_ secure as they encourage users to write down their passwords. Another possible drawback is that the plaintext newly selected password is in memory longer and is, indeed, passed from getnewpasswd (in local_passwd.c) to another routine for historical validation. To me this is a minor issue but it may not be so for others. So my questions are: what is the thinking behind allowing a user to reuse the same password again? If this is the policy, what is the sense of forcing a password change? What are your concerns with a policy that would not allow old password reuse? Thanks, Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000119144254.A86549>