Les Mikesell wrote: > On Tue, 2006-04-04 at 21:58, jdow wrote: > >>> Another good guide is: >>> >>> Enforce changing of passwords on at least a monthly basis. >>> Do not permit re-use of old passwords. >> Experience indicates that people rotate sets of four or five passwords >> in that case. > > How do you prevent re-use without keeping plain text or reversibly > encrypted copies of the old ones laying around waiting to be > stolen? > You keep copies of the old encrypted passwords around, and compare the new one to them. If they match, reject the password. After all, you do that to the current one every time someone tries to log in. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!