Passwords: How are they stored?
I had thought that passwords were not stored on your computer, simply the hash'ed password. Yet, when I try to change my password, I get told my new password isn't acceptable because it it too similar to the old one, or just involves a change in case. Any insight appreciated, Joel ___ Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Passwords: How are they stored?
On Sunday 27 January 2002 9:09 am, Joel Hammer wrote: I had thought that passwords were not stored on your computer, simply the hash'ed password. Yet, when I try to change my password, I get told my new password isn't acceptable because it it too similar to the old one, or just involves a change in case. Any insight appreciated, Joel I don't follow. What does hashing the password have to do with changing it? And the problem you're running up against iare the rules for passwords, trying to keep you from making things to easy to crack your password. -- ++ + Bruce S. Marshall [EMAIL PROTECTED] Bellaire, MI 01/27/02 10:44 + ++ I do not fear computers. I fear the lack of them. - Isaac Asamov. ___ Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Passwords: How are they stored?
I thought that for security reasons, the actual password is never stored on the computer, just the encrypted form. If so, how can the computer know that I have tried to cheat and when asked to alter my password, I just changed the case of one letter. Joel On Sun, Jan 27, 2002 at 10:45:31AM -0500, Bruce Marshall wrote: On Sunday 27 January 2002 9:09 am, Joel Hammer wrote: I had thought that passwords were not stored on your computer, simply the hash'ed password. Yet, when I try to change my password, I get told my new password isn't acceptable because it it too similar to the old one, or just involves a change in case. Any insight appreciated, Joel I don't follow. What does hashing the password have to do with changing it? And the problem you're running up against iare the rules for passwords, trying to keep you from making things to easy to crack your password. -- ++ + Bruce S. Marshall [EMAIL PROTECTED] Bellaire, MI 01/27/02 10:44 + ++ I do not fear computers. I fear the lack of them. - Isaac Asamov. ___ Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL. ___ Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Passwords: How are they stored?
On Sunday 27 January 2002 12:20 pm, Joel Hammer wrote: I thought that for security reasons, the actual password is never stored on the computer, just the encrypted form. If so, how can the computer know that I have tried to cheat and when asked to alter my password, I just changed the case of one letter. Did it not ask for your old password in order to change the new one? (as a normal user you should have been asked.) -- ++ + Bruce S. Marshall [EMAIL PROTECTED] Bellaire, MI 01/27/02 14:22 + ++ I have taken more good from alcohol than alcohol has taken from me. - Winston Churchill ___ Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Passwords: How are they stored?
On Sun, 27 Jan 2002 12:20:25 -0500 Joel Hammer [EMAIL PROTECTED] spewed into the bitstream: I thought that for security reasons, the actual password is never stored on the computer, just the encrypted form. If so, how can the computer know that I have tried to cheat and when asked to alter my password, I just changed the case of one letter. In DES, you have a 13 character hash, the first two are a salt (in MD5 this is a 4 character salt). If you use the same salt as the old password and create a new hash, then compare the new and old hash, and you know the difference between a and A (or b and B, etc, they are just representations of numbers after all) then what you've done to your password is fairly obvious from an analytical standpoint. Ciao, David A. Bandel -- Focus on the dream, not the competition. -- Nemesis Racing Team motto Internet (H323) phone: 206.28.187.30 ___ Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Passwords: How are they stored?
Hmmm... Hmmm.. Yes. Now that you mention it. I wonder why I didn't think of that myself? Thanks, Joel On Sun, Jan 27, 2002 at 02:24:02PM -0500, Bruce Marshall wrote: On Sunday 27 January 2002 12:20 pm, Joel Hammer wrote: I thought that for security reasons, the actual password is never stored on the computer, just the encrypted form. If so, how can the computer know that I have tried to cheat and when asked to alter my password, I just changed the case of one letter. Did it not ask for your old password in order to change the new one? (as a normal user you should have been asked.) ___ Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
Re: Passwords: How are they stored?
On Sun, 27 Jan 2002 15:03:46 -0500 Joel Hammer [EMAIL PROTECTED] spewed into the bitstream: Hmmm... Hmmm.. Yes. Now that you mention it. I wonder why I didn't think of that myself? Umm. Depends on the distro, but this is configurable. You can force users to put in their old password before they can change it, or not. See /etc/pam.d/passwd (and the pam_passwd.so module README). Note that there is a facility for storing old passwords in MD5 hash in /etc/security/opasswd so that you can't simply alternate between two old passwords. Thanks, Joel On Sun, Jan 27, 2002 at 02:24:02PM -0500, Bruce Marshall wrote: On Sunday 27 January 2002 12:20 pm, Joel Hammer wrote: I thought that for security reasons, the actual password is never stored on the computer, just the encrypted form. If so, how can the computer know that I have tried to cheat and when asked to alter my password, I just changed the case of one letter. Did it not ask for your old password in order to change the new one? (as a normal user you should have been asked.) ___ Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL. -- Focus on the dream, not the competition. -- Nemesis Racing Team motto Internet (H323) phone: 206.28.187.30 ___ Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
