[unisog] Password Management: Not Storing Old Passwords

David Fetrow fetrow at apl.washington.edu
Thu Oct 20 23:35:58 GMT 2005

> Date: Thu, 20 Oct 2005 10:39:40 -0500
> From: Chris Green <cmgreen at uab.edu>
> Subject: Re: [unisog] designing a password management system for
>       privileged accounts
> To: Unisog <unisog at lists.sans.org>
> Message-ID: <BF7D246C.20A19%cmgreen at uab.edu>
> Content-Type: text/plain;     charset="US-ASCII"
> On 10/19/05 6:58 PM, "Russell Fulton" <r.fulton at auckland.ac.nz> wrote:
> The system should store "old" passwords to prevent reuse.

  I'm not so sure that'd be a good idea. Storing a 1-way hash
  of the password to prevent reuse, probably would be.

  Consider what happens if the following stored old password list
  becomes known:

 	MrUniverse at Serenity


  In any case, this all becomes moot if they really do
  go with random generated passwords.

David Fetrow
Distributed Computing Services
Applied Physics Lab, Univ. of Washington

More information about the unisog mailing list