Re: minimum number of days between password change

To: debian-user@lists.debian.org
Subject: Re: minimum number of days between password change
From: Robert Brockway <robert@timetraveller.org>
Date: Wed, 3 Nov 2010 11:41:17 -0400 (EDT)
Message-id: <[🔎] alpine.DEB.1.10.1011031131570.16983@castor.opentrend.net>
In-reply-to: <[🔎] 4CD0F6D8.4050503@allums.com>
References: <[🔎] 4CCEEABA.3090404@seznam.cz> <[🔎] 4CCF4D3F.3000603@cox.net> <[🔎] 20101102202654.GD29901@yun.yagibdah.de> <[🔎] 201011030340.45466.jesus.navarro@undominio.net> <[🔎] 4CD0CFD5.3020100@allums.com> <[🔎] 4CD0EBB2.4010701@cox.net> <[🔎] 4CD0F6D8.4050503@allums.com>

On Wed, 3 Nov 2010, Mark Allums wrote:

I know it is the hashes. Everything leaves tracks. It's not the passwordsthat might be compromised, it's the privacy. I expect this is an example ofextreme paranoia, but still...
An unrelated example: Incognito mode (AKA, porn mode) of Google Chrome.Forensic researchers have published articles about how much they found outabout the user even after they used the "secure" mode.
You can't reverse the hash, but a pattern in the history file might tellsomeone something you don't want them to know. Granted, you could keep the

If the hash algorithm is worth its salt (pun intended) then thereshouldn't be a pattern in the hashes even if there is in the passwords.

If the file keeps timestamp information in plaintxt that may revealinformation like when the user tends to change their password which may ormay not be useful to an attacker.


I think on balance the risk is low though.

The hash log could be subject to a brute force attack. /etc/shadow isalso subject to a brute force if someone can get root on the box. This isuseful as passwords are often resued across systems, so they could usethis to break into other systems. /etc/shadow would deliver currentrather than old passwords so it is far more valuable too.

Personally I don't think much of keeping a record of old password hashesbut for a different reason: they are easily circumvented by the userchanging their password several times until they can reuse the old oneagain. Some organisations have tried to prevent this by limiting howquickly passwords can be changed - the problem with this approach shouldbe obvious :)


Cheers,

Rob

--
Email: robert@timetraveller.org		Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.practicalsysadmin.com
Contributing member of Software in the Public Interest (http://spi-inc.org/)
Open Source: The revolution that silently changed the world

Reply to:

Follow-Ups:
- Re: minimum number of days between password change
  - From: Mark Allums <mark@allums.com>
- Re: minimum number of days between password change
  - From: Ron Johnson <ron.l.johnson@cox.net>

References:
- minimum number of days between password change
  - From: Lukas Baxa <baxic-cs@seznam.cz>
- Re: minimum number of days between password change
  - From: Ron Johnson <ron.l.johnson@cox.net>
- Re: minimum number of days between password change
  - From: lee <lee@yun.yagibdah.de>
- Re: minimum number of days between password change
  - From: "Jesús M. Navarro" <jesus.navarro@undominio.net>
- Re: minimum number of days between password change
  - From: Mark Allums <mark@allums.com>
- Re: minimum number of days between password change
  - From: Ron Johnson <ron.l.johnson@cox.net>
- Re: minimum number of days between password change
  - From: Mark Allums <mark@allums.com>

Prev by Date: Re: Trying to use a Nokia N95 as a modem over USB
Next by Date: Re: improve screen resolution
Previous by thread: Re: minimum number of days between password change
Next by thread: Re: minimum number of days between password change
Index(es):
- Date
- Thread