Mailinglist Archive: opensuse-security (109 mails)

< Previous Next >
Re: [suse-security] password history
  • From: Jure Koren <jure@xxxxxxxxxx>
  • Date: Mon, 27 Mar 2006 19:18:51 +0200
  • Message-id: <200603271918.53494.jure@xxxxxxxxxx>
On Monday 27 March 2006 18:19, discip@xxxxxxx wrote:
> I have a requirement to keep users from reusing old passwords,
> specifically, they must not choose a password that has been used within the
> past 10 passwords they have chosen.
> Is there an easy way to accomplish this?

I think this would actually impair security, depending on your setup. But
storing a history of passwords is never a good idea, because you _know_
people will reuse passwords (or their trivial permutations, at least).

Though obviously a matter of debate, it is common for people to write their
passwords down when these are difficult to remember. Definitely a phenomenon
you want to try to avoid. Reusing old passwords does not necessarily lower
your security. If I had to estimate whether it is more likely that
unauthorized people have learned old passwords or authorized people writing
down a password, because they find it difficult to remember, I would have
little doubt that the latter is a much more severe security problem and at
the same time more likely to occur. You will spot invalid login attempts, but
you won't easily spot your employee having his password written down
somewhere. All this, again, depending on your situation, but if you have
security conscious people, you don't need to remind them of good security
practices.

After you have given a thought (and talked about with people requiring this)
about these issues, this is still your choice. I think such a mechanism
should be fairly trivial to implement using PAM and probably has been, but
unfortunately, I do not know about it.

Regards,

--
Jure Koren, n.i.
< Previous Next >
Follow Ups
References