Re: [owl-users] pam_passwdqc and history

From: Solar Designer (solar@private)
Date: Sat Jun 23 2007 - 18:39:39 PDT


Vincent - thank you for asking this question on owl-users rather than
via private e-mail to me (like some others did).

On Sat, Jun 23, 2007 at 11:01:04AM -0600, Vincent Danen wrote:
> Quick question.  Does pam_passwdqc support password history?  Not just
> comparing the current password to the new password, but seeing if it's
> similar to, say, any of the last 3 passwords a user used?  Apparently
> some government/company legislation/policies require history checking of
> current-N passwords, and I'm wondering if passwdqc does this.

No, pam_passwdqc doesn't currently have this questionable feature.

Also, it is non-obvious whether pam_passwdqc is the right place to have
this feature (if at all).  It is common to have it in pam_unix instead
(this would be pam_tcb on Owl) and there are good reasons for that: it's
pam_unix or equivalent which knows whether a password update actually
succeeds or not and the password hashing method in use (so it can store
and check old password hashes in the same way).

I find password histories questionable primarily because they place old
passwords at extra risk.  Those passwords may be the same or similar to
passwords still in use (or to passwords that will be used in the future)
on other accounts of the same person (including on other machines) or of
other related people.

If old passwords are stored in hashed form, then it may be impractical
(too computationally expensive) to check for and reject "similar" new
passwords.  So only exactly the same passwords will be rejected.  On the
other hand, if old passwords are stored in plaintext or in an easily
reversible form, such a password history poses an even higher risk (it's
an excellent "wordlist" for John the Ripper to be applied to password
files of the same organization, with word mangling rules enabled).
These two (fully hashed or plaintext-equivalent storage) are not the
only possibilities - there can be variations, such as storage of hashes
of "unified" rather than original passwords - but those are "somewhere
in the middle" in terms of risk vs. potential benefit.

Overall, password histories likely have a negative impact on systems'
security.

I was asked to add this functionality specifically to pam_passwdqc a few
times.  Some people were willing to have their organizations pay for it.
On such occasions, I would explain why it is likely a bad idea - and I
was successful at that.  Maybe next time someone approaches me with
such a request and is willing to have their organization compensate for
my time, I will just add this as an optional feature (including ability
to disable it at compile time to not have extra required dependencies
for building pam_passwdqc and not have to bundle password hashing code
with pam_passwdqc itself).  If/when I make such a version of
pam_passwdqc public, I will add the appropriate disclaimer (similar to
this posting) to the documentation.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail owl-users-unsubscribe@private and reply
to the automated confirmation request that will be sent to you.



This archive was generated by hypermail 2.1.3 : Sat Jun 23 2007 - 18:45:02 PDT