What should the password/security/userinfo/login system include?
John F. Haugh II
jfh at rpp386.cactus.org
Sun Dec 17 17:46:59 AEST 1989
In article <1989Dec16.054850.5881 at chinet.chi.il.us> les at chinet.chi.il.us (Leslie Mikesell) writes:
>In article <6602 at jpl-devvax.JPL.NASA.GOV> lwall at jpl-devvax.JPL.NASA.GOV (Larry Wall) writes:
>
>>We disallow both of these. The new password must be sufficiently different
>>from the old one. You can't EVER reuse a password on our system, period.
>
>Does this mean that you keep a file containing the old passwords around
>(like everyone has been saying is a security risk)?
No, you only need to keep the already-encrypted passwords laying around.
You then take the trial password and encrypt it using the salt for the
old password and compare the result of the encryption. If they match,
reject the new password.
--
John F. Haugh II +-Things you didn't want to know:------
VoiceNet: (512) 832-8832 Data: -8835 | In Ham lingo DEC is rot-13 for "Low
InterNet: jfh at rpp386.cactus.org | Power". "CPU?" "QRP Vax-11."
UUCPNet: {texbell|bigtex}!rpp386!jfh +--------------------------------------
More information about the Comp.unix.wizards
mailing list