Quick security question

Phil Thayer phil.thayer at vitalsite.com
Mon Feb 19 08:14:22 CST 2007 

Typically in OS's that check that passwords are not similar to
previously used passwords there is a password history file that contains
old passwords in an encrypted form (not one-way) that can be compared
against what is entered.  Find the password history file, blow it away
and create a new one with the touch command and you will have no
password history.

Phil

> -----Original Message-----
> From: kclug-bounces at kclug.org 
> [mailto:kclug-bounces at kclug.org] On Behalf Of Dave Hull
> Sent: Saturday, February 17, 2007 9:33 PM
> To: cragos at gmail.com
> Cc: kclug at kclug.org
> Subject: Re: Quick security question
> 
> Interesting question.
> 
> Mathematically, the hashes of "testpass" and "tespass" are very
> different, so obviously the passwd program isn't comparing hashes.
> What is it comparing?
> 
> When a user runs the passwd program, they are prompted for their old
> password and the password program stores that value, then the user is
> prompted for a new password and the new value is compared to the old
> value. The hashes themselves are not being compared.
> 
> When root runs the passwd program, it doesn't prompt for the old
> password value so there's no comparison.
> 
> On 2/17/07, cragos at gmail.com <cragos at gmail.com> wrote:
> > Can someone more familiar than I with the math behind one-way hashes
> > explain how a hashed string is compared with a string in 
> plaintext?  I
> > had a typo in the text I fed to passwd, and, when I went back in to
> > fix the typo, I got an error message that read: "BAD 
> PASSWORD: is too
> > similar to the old one"
> >
> > Of course, that was easy enough to override as root, but it 
> raises an
> > interesting question.  Anyone game to explain the math behind how it
> > was able to tell?
> >
> > Thanks,
> > Sean
> > _______________________________________________
> > Kclug mailing list
> > Kclug at kclug.org
> > http://kclug.org/mailman/listinfo/kclug
> >
> 
> 
> -- 
> Dave Hull
> _______________________________________________
> Kclug mailing list
> Kclug at kclug.org
> http://kclug.org/mailman/listinfo/kclug
>

More information about the Kclug mailing list