On Monday 27 March 2006 18:19, discip@pjm.com wrote:

I have a requirement to keep users from reusing old passwords, specifically, they must not choose a password that has been used within the past 10 passwords they have chosen. Is there an easy way to accomplish this?

I think this would actually impair security, depending on your setup. But storing a history of passwords is never a good idea, because you _know_ people will reuse passwords (or their trivial permutations, at least). Though obviously a matter of debate, it is common for people to write their passwords down when these are difficult to remember. Definitely a phenomenon you want to try to avoid. Reusing old passwords does not necessarily lower your security. If I had to estimate whether it is more likely that unauthorized people have learned old passwords or authorized people writing down a password, because they find it difficult to remember, I would have little doubt that the latter is a much more severe security problem and at the same time more likely to occur. You will spot invalid login attempts, but you won't easily spot your employee having his password written down somewhere. All this, again, depending on your situation, but if you have security conscious people, you don't need to remind them of good security practices. After you have given a thought (and talked about with people requiring this) about these issues, this is still your choice. I think such a mechanism should be fairly trivial to implement using PAM and probably has been, but unfortunately, I do not know about it. Regards, -- Jure Koren, n.i.