Re: minimum number of days between password change

["Jesús M. Navarro" <jesus.navarro@undominio.net>]

Hi, lee:

On Tuesday 02 November 2010 21:26:54 lee wrote:
> On Mon, Nov 01, 2010 at 06:29:03PM -0500, Ron Johnson wrote:
> > On 11/01/2010 04:45 PM, Jesús M. Navarro wrote:
> > >Hi, Ron:
> > >
> > >On Monday 01 November 2010 18:49:01 Ron Johnson wrote:
> > >[...]
> > >
> > >>If someone learns my password on day 2, they have full access to my
> > >>account for 74 days, or I must beg for SysAdmin help?
> > >>
> > >>"Minimum number of days" isn't a very bright idea.
> > >
> > >It is, for a low minimum number.
> > >
> > >The rationale is to avoid the user reusing passwords: Ok, so my password
> > > is 12345678 and I must change it now?  Let's do it: 87654321; but
> > > immediately I change back again.
> >
> > The way to do it is to have a record in your password db of the
> > hashes of each user's last N passwords.
>
> BTW, how do you do that?

AFAIK you can't, at least with files backend (but that's a different issue).

Cheers.