What should the password/security/userinfo/login system include?

[Leslie Mikesell]

In article <6602 at jpl-devvax.JPL.NASA.GOV> lwall at jpl-devvax.JPL.NASA.GOV (Larry Wall) writes:

>We disallow both of these.  The new password must be sufficiently different
>from the old one.  You can't EVER reuse a password on our system, period.

Does this mean that you keep a file containing the old passwords around
(like everyone has been saying is a security risk)?

>Password aging definitely improves security here.  I don't like it any
>more than the users do, since I have to change their forgotten passwords
>more often than they forget them (me being one and them being many).
>But passwords do have a habit of leaking out from non-conscientious
>users occasionally, so we have to punish the innocent with the guilty
>in order to get the level of security we require.

I'm sure your requirements are a bit different than most systems, but
has this really been demonstrated to be true?  Won't users be more
likely to keep written copies of their password if they are required
to change often?
 
>You get a whole week's warning by mail here so you aren't suddenly forced
>to think up a new password at an importune moment.

That would help, but only if you work on that system consistantly.  What
if you need to connect to 5 or 6 different machines a few times a month?
What if you want to make a machine connect and retreive something for
you via an automatic login script?  I take it that you don't have any
uucp logins on these machines... 

>We have no extra stuff in our password file for aging.  The age in weeks,
>modulo 64, is encoded into one of the salt characters (perturbed by the
>first two characters of the login name so that salts are still randomly
>distributed; also, the other salt character is still totally random.)

So you don't see any need to make the encrypted password unreadable?


Les Mikesell
  les at chinet.chi.il.us