On Tue, 2006-04-04 at 23:04, Mikkel L. Ellertson wrote: > > > >>> Another good guide is: > >>> > >>> Enforce changing of passwords on at least a monthly basis. > >>> Do not permit re-use of old passwords. > >> Experience indicates that people rotate sets of four or five passwords > >> in that case. > > > > How do you prevent re-use without keeping plain text or reversibly > > encrypted copies of the old ones laying around waiting to be > > stolen? > > > You keep copies of the old encrypted passwords around, and compare > the new one to them. If they match, reject the password. After all, > you do that to the current one every time someone tries to log in. I guess I was think of the systems that tell you you haven't made enough of a change from the old one(s). -- Les Mikesell lesmikesell@xxxxxxxxx
