Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Sun, 24 Jun 2007 01:23:46 +0400
From: "(GalaxyMaster)" <galaxy@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: pam_passwdqc and history

Vincent,

Thanks for a good question I was wondering whether it could be done on
Owl too (however, I haven't investigated the issue for real).

On Sun, Jun 24, 2007 at 12:53:51AM +0400, gremlin@...mlin.ru wrote:
> 
> It does NOT and, I hope, never will - all these "password
> history policies" require storing plaintext password somewhere,
> which is absolutely inacceptable. The only possible check is

Gremlin, I know at least a couple of techniques how to perform this check
without storing the plain text version of password, so you might be wrong
in your claims.  JFYI.

I'd like to see Solar's opinion on this.  I think that although it's
a little bit complicated since we need to store some additional metadata
per account this option could be implemented and it would have its users
(not only Vincent and me but a broader range of users :) ).

-- 
(GM)


-- 
To unsubscribe, e-mail owl-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ