[unisog] Password Management: Not Storing Old Passwords

David Fetrow fetrow at apl.washington.edu
Thu Oct 20 23:35:58 GMT 2005


> Date: Thu, 20 Oct 2005 10:39:40 -0500
> From: Chris Green <cmgreen at uab.edu>
> Subject: Re: [unisog] designing a password management system for
>       privileged accounts
> To: Unisog <unisog at lists.sans.org>
> Message-ID: <BF7D246C.20A19%cmgreen at uab.edu>
> Content-Type: text/plain;     charset="US-ASCII"
>
> On 10/19/05 6:58 PM, "Russell Fulton" <r.fulton at auckland.ac.nz> wrote:
> The system should store "old" passwords to prevent reuse.

  I'm not so sure that'd be a good idea. Storing a 1-way hash
  of the password to prevent reuse, probably would be.

  Consider what happens if the following stored old password list
  becomes known:

 	MrUniverse at Serenity

 	1nara.Malcom
 	Z0e?Wash
 	Kayl3e:Serenity
 	V3ra;Jayne
 	R1ver|Simon

  In any case, this all becomes moot if they really do
  go with random generated passwords.

------------------------------------------------------------
David Fetrow
Distributed Computing Services
Applied Physics Lab, Univ. of Washington



More information about the unisog mailing list