OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: password aging

Re: password aging

Steve Bellovin (smbresearch.att.com)
Wed, 19 Aug 1998 11:40:11 -0400

In message <19980818175723.A4608weathership.homeport.org>, Adam Shostack write
s:
> Various people assert that its a good idea to maintain a
> history of user passwords so that they can't change their password to
> a previous password. However, I'm having trouble finding a reference
> to this in the literature that examines the issue of how many
> passwords to save and why. The lime green book (password management)
> says not to let the user use their previous password, but doesn't go
> into storing a history.
>
> Does anyone know of a paper on, or that discusses, this topic,
> and how or why to pick various values of N?

There are several rationales; most boil down to combatting user
unwillingness to change their passwords. If forced to, they'll
change it, then change it right back to the old one, and (often)
iterate as needed.

Another rationale is that if it takes a long time to crack a given
password, but that pasword will be reused -- as is not unlikely --
one can try the old-but-recovered one every month or so, to see if it
now works.

I seem to recall some discussion of this topic in:

article{opus,
        author = {Eugene H. Spafford},
        title = {{OPUS}: Preventing Weak Password Choices},
        journal = {Computers \& Security},
        volume = 11,
        number = 3,
        year = 1992,
        pages = {273--278},
        annote = "Discusses how to use Bloom filters to check passwords against dictionaries
                without consuming large amounts of space.",
   url = {ftp://coast.cs.purdue.edu/pub/Purdue/papers/spafford/spaf-OPUS.ps}
}

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:40 CDT