On Wed, 2006-04-05 at 21:17 +0800, John Summerfied wrote: > Les Mikesell wrote: > > On Tue, 2006-04-04 at 23:04, Mikkel L. Ellertson wrote: > > > > >>You keep copies of the old encrypted passwords around, and compare > >>the new one to them. If they match, reject the password. After all, > >>you do that to the current one every time someone tries to log in. > > Create a test account, fred. > Set fred's password to, say, derf. > Take a note of the encrypted password. > Change Fred's password to derf. > Compare with the previous encrypted password. Are they the same? > Probably not if you simply do a new encryption as a new password. The 'salt' will be different and thus the encrypted string will be different. In fact I just tested it, and even though the password was the same twice, the encrypted result was different. However, note one thing. When a user is logging in, to test the password the system reads the encrypted password and uses the salt found there to encrypt the given password before comparing. Thus any comparison with an encrypted password is done using the embedded salt and the resulting encryption string will be the same if the password is the same. Saving an old encrypted password and comparing it to the new password would thus reveal they are identical in your example even though the encrypted string in /etc/shadow would be different than the saved one if it were allowed. Just my $.02 > > > > -- > > Cheers > John > > -- spambait > 1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx > Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/ > > do not reply off-list >
