Good point, some systems are configured to keep password histories. On my default RHEL install, there is no such file. In fact, I don't think I've used any version of Linux that was configured this way. There's probably some PAM configuration that will keep password histories, but by default, I don't know of a Linux distro that does.
The passwd program does compare the current password that the user gives when she runs the passwd program against the user's newly entered password. A look through the source of the passwd program confirms this.
It's interesting that the passwd program when run as a normal user on RHEL (I assume other distros too), prompts for the user's "UNIX" password.
On 2/19/07, Phil Thayer [email protected] wrote:
Typically in OS's that check that passwords are not similar to previously used passwords there is a password history file that contains old passwords in an encrypted form (not one-way) that can be compared against what is entered. Find the password history file, blow it away and create a new one with the touch command and you will have no password history.
Phil
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dave Hull Sent: Saturday, February 17, 2007 9:33 PM To: [email protected] Cc: [email protected] Subject: Re: Quick security question
Interesting question.
Mathematically, the hashes of "testpass" and "tespass" are very different, so obviously the passwd program isn't comparing hashes. What is it comparing?
When a user runs the passwd program, they are prompted for their old password and the password program stores that value, then the user is prompted for a new password and the new value is compared to the old value. The hashes themselves are not being compared.
When root runs the passwd program, it doesn't prompt for the old password value so there's no comparison.
On 2/17/07, [email protected] [email protected] wrote:
Can someone more familiar than I with the math behind one-way hashes explain how a hashed string is compared with a string in
plaintext? I
had a typo in the text I fed to passwd, and, when I went back in to fix the typo, I got an error message that read: "BAD
PASSWORD: is too
similar to the old one"
Of course, that was easy enough to override as root, but it
raises an
interesting question. Anyone game to explain the math behind how it was able to tell?
Thanks, Sean _______________________________________________ Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug
-- Dave Hull _______________________________________________ Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug
Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug