Found, a new rootkit

Michael H. Warfield mhw at WittsEnd.com
Fri Apr 7 13:34:29 UTC 2006 

On Fri, 2006-04-07 at 17:51 +0930, Tim wrote:
> Les Mikesell:
> >> How do you prevent re-use without keeping plain text or reversibly
> >> encrypted copies of the old ones laying around waiting to be
> >> stolen?

> If you're storing *old* passwords that you don't want people to use
> again, would it matter if they're stored as plain text?  I would imagine
> that you could just add them to a banned passwords list.

	Actually...  You couldn't even if you wanted to.  The plain text
password is not stored on the system at all.  Only the password hashes.
If you want to maintain a password history, you just store those hashes
and use them in future change password attempts.  If you wanted to store
the plain text password (in some misguided attempt to catch "similar"
passwords) you would have to have the user reenter his old password and
store that plain text, since the hashes are not reversible.

	Even storing old "banned" passwords as plain text is a very VERY bad
idea.  Even if they never reuse a password, that same password may be
used somewhere else (other systems, web sites, keyrings, databases, etc,
etc, etc), may reveal personal information about the user, or may reveal
patterns in their password generating methodology (KillRoy1, KillRoy2,
KillRoy3).

	Obviously, this is something you do NOT want to do.

	If you are this paranoid that you even want to catch "similar"
passwords, then I would recommend going to an OTP like s/key or OPIE and
be done with it.

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20060407/8f2bc774/attachment-0002.bin

More information about the users mailing list