Re: minimum number of days between password change
On Tuesday 02 November 2010 00:29:03 Ron Johnson wrote:
> On 11/01/2010 04:45 PM, Jesús M. Navarro wrote:
> > Hi, Ron:
> > On Monday 01 November 2010 18:49:01 Ron Johnson wrote:
> > [...]
> >> If someone learns my password on day 2, they have full access to my
> >> account for 74 days, or I must beg for SysAdmin help?
> >> "Minimum number of days" isn't a very bright idea.
> > It is, for a low minimum number.
> > The rationale is to avoid the user reusing passwords: Ok, so my password
> > is 12345678 and I must change it now? Let's do it: 87654321; but
> > immediately I change back again.
> The way to do it is to have a record in your password db of the
> hashes of each user's last N passwords.
> > So if the minimum change time is about a week, it takes about the same
> > effort to learn the new password than to change it back.
> You're Doing It Wrong if you use "minimum days" to avoid password reuse.
I didn't imply minimum password age was either the only or the best way to
avoid password reuse, only that it can apropriately used for that.
On Linux, in order for you to retain last n passwords you will need at least
another "device" (file, database field...) to store them you'll have to take
care of (at least under the assumption that old passwords will show a trend
that could be exploited after brute-force attack).