Richard Sharpe wrote:
OpenVMS stores the password hashes back a configurable amount of time, the default is one year per user.On Fri, 14 Feb 2003, Andrew Bartlett wrote:Hmmm, I am not sure of that. What is wrong with storing the history of password hashes back to some number. Sure, there can be collisions, but they should be infrequent, and it will prevent them from re-using the same passwd within the horizon of the hashes kept.Anybody doing this 'must change password every x days' thing has to store the decrypted password, or else your users change from password1 to password2 to password3 then back to password1.
The storage time needs to be timed based, not number of changes.
OpenVMS does not have the security hole where a user is forbidden to change a password for a period of time from the last change, so that a user must notify the system administrator when they think a recently changed password was compromised.
Frequent password changes also lead to passwords that are more easily cracked by social engineering methods. Usually if you have learned a past password, a human can figure out all future passwords.
-John
[EMAIL PROTECTED]
Personal Opinion Only
