LinuxSA Mailing list archives

Index: [thread] [date] [subject] [author] [stats]

  From: Chris Harris <chris.harris@loftuscomp.com.au>
  To  : David Lloyd <dlloyd@microbits.com.au>
  Date: 02 Jul 2003 11:10:24 +0930

Re: Linux knows too much

On Wed, 2003-07-02 at 10:26, David Lloyd wrote:
>  1) Save X old passwords
>  2) When a new password is entered, hash it (using all possible salt values if
>     necessary) and see whether it turns up

You don't need to use all possible salt values. The salt value is
already stored as part of the hash. And this won't tell you if the
password is too similar, it will tell you if it's the same.

The way to tell is to take the new password, and change it slightly and
try to match the existing hash: ie. I add my new password as 'linux' and
my old password was linuX, the program would:

1) Cycle through all combinations of the new password it decides are
'too similar' (Linux, lInux, liNux etc)
2) Crypt them using the same salt as the existing password.
3) If one of the combinations matches, the passwords are too similar.

On other (non-linux type) systems, password aging may store a certain
number of previous passwords so it can check against those for
similarity too.

Cheers,
Chris.

-- 
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.freenode.net
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject

Index: [thread] [date] [subject] [author] [stats]

Return to the LinuxSA Mailing List Information Page