Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: password aging

Re: password aging

Stephen P. Gibbons (steveaztech.net)
Fri, 28 Aug 1998 07:49:11 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Chris Shenton: "Re: NetMeeting secure?"
Previous message: John McDermott: "RE: Simple demo"
Maybe in reply to: Rik Farrow: "Simple demo"
Next in thread: Paul McNabb: "Re: password aging"

System-wide password histories shouldn't be used unless
you are also doing dictionary/pattern checks. Given those
constraints, and the soundex + hashing that I mentioned in
my previous message, it will be difficult for an end-user to
determine exactly why their new password choice was
rejected by the system. Your example of "sleepy7" could
have been rejected at any stage of the "sanity checks".
The specific reason for rejecting the new password should
not be reported to the user, they only need to be told that
the new password is probably weak.

Think of the global history as an adjunct to a dictionary check.
The dictionary, in this case just happens to match your user-
base's actual use very closeley, and it changes over time.

--
Steve
Paul McNabb wrote:
> >  From: "Stephen P. Gibbons" <steveaztech.net>
> >
> >  Storing the hashes system-wide so that user2 wouldn't be
> >  allowed to use a password that had been previously used
> >  by user1 or user3 is another option.  Use a strong hash, and
> >  chmod 0600 the history file if you do this.  Yeah, an HMAC
> >  would work better, but then you can't easily combine histories
> >  and have to protect the key used.
>
> Having a "system wide" password history is an EXTREMELY bad thing
> to do!  It is much worse than doing nothing at all!  The reason
> for a password history mechanism in the first place is because you
> want to break up (as much as possible) the password selection
> mechanism so that passwords are more random (and harder to guess)
> for a user.
>
> If your users are not telling each other their passwords, then any
> passwords reused by other people are purely random anyway.  And if
> a user ever gets a "hit" on a password, then he/she knows something
> about the password selection habits of someone on the system.  For
> example, if a user can't choose the password "sleepy7" because someone
> else has used it, it may be a reasonable guess that someone is using
> a "Snow White" theme in choosing passwords.
>
> System wide password history mechanisms remove randomness from the
> password set being used, and they *secretly* pass information about
> one user's passwords to another user.
>
> It should be obvious that if the password history includes the current
> passwords, then if I get a "hit" when trying to select a new password,
> I am fairly sure that some account on the system has the password I
> just tried!
>
> The moral?  NEVER, NEVER, NEVER USE SYSTEM WIDE PASSWORD HISTORIES!!
>
> paul
>
> ---------------------------------------------------------
> Paul McNabb                     Argus Systems Group, Inc.
> Vice President and CTO          1809 Woodfield Drive
> mcnabbargus-systems.com        Savoy, IL 61874 USA
> TEL 217-355-6308
> FAX 217-355-1433                "Securing the Future"
> ---------------------------------------------------------

Next message: Chris Shenton: "Re: NetMeeting secure?"
Previous message: John McDermott: "RE: Simple demo"
Maybe in reply to: Rik Farrow: "Simple demo"
Next in thread: Paul McNabb: "Re: password aging"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:40 CDT