Typically in OS's that check that passwords are not similar to previously used passwords there is a password history file that contains old passwords in an encrypted form (not one-way) that can be compared against what is entered. Find the password history file, blow it away and create a new one with the touch command and you will have no password history.
Phil
-----Original Message----- From: kclug-bounces@kclug.org [mailto:kclug-bounces@kclug.org] On Behalf Of Dave Hull Sent: Saturday, February 17, 2007 9:33 PM To: cragos@gmail.com Cc: kclug@kclug.org Subject: Re: Quick security question
Interesting question.
Mathematically, the hashes of "testpass" and "tespass" are very different, so obviously the passwd program isn't comparing hashes. What is it comparing?
When a user runs the passwd program, they are prompted for their old password and the password program stores that value, then the user is prompted for a new password and the new value is compared to the old value. The hashes themselves are not being compared.
When root runs the passwd program, it doesn't prompt for the old password value so there's no comparison.
On 2/17/07, cragos@gmail.com cragos@gmail.com wrote:
Can someone more familiar than I with the math behind one-way hashes explain how a hashed string is compared with a string in
plaintext? I
had a typo in the text I fed to passwd, and, when I went back in to fix the typo, I got an error message that read: "BAD
PASSWORD: is too
similar to the old one"
Of course, that was easy enough to override as root, but it
raises an
interesting question. Anyone game to explain the math behind how it was able to tell?
Thanks, Sean _______________________________________________ Kclug mailing list Kclug@kclug.org http://kclug.org/mailman/listinfo/kclug
-- Dave Hull _______________________________________________ Kclug mailing list Kclug@kclug.org http://kclug.org/mailman/listinfo/kclug