Ashley Gould wrote:
The managers are discussing password requirements. One desire is to disallow previously used passwords with memory of up to ten passwords used. Is there a sweet and simple way to implement this in SLES9/10? I don't see a pam module with this facility.
Others have pointed out the technical methods, but honestly, I would suggest to you that policy is unwise. Security is as much a human issue as technical. In my experience, forcing people to keep changing passwords has one single effect: People will write them down. I would much prefer for someone to have a password they can remember that never changes than having passwords written all over postit notes. Think about what you gain from changing passwords and measure it against what you lose by having passwords written down all over the place. The problem is password leakage. If a password falls into the wrong hands, your security is breached. But what causes passwords to fall into the wrong hands? What about changing passwords at intervals will prevent leakage? Not much. Think about it. Nearly all avenues of password leakage are current, so changing it every month or 3 months is really irrelevant. As soon as the perp has the password, he's in and the damage is done. Changing the password next month won't do any good. Dictionary attacks and whatnot are equally irrelevant to password changes, they don't take a month to perform, so the chances of you changing your password in mid-attack are unlikely. Making your users' lives simpler has a much greater beneficial effect on security. The more hoops they have to jump through, the greater the chance that they will simply circumvent the procedure.