topic Re: How to disallow user to reuse their old password in Operating System - HP-UX

How to disallow user to reuse their old password

yc_2 — Sun, 23 Jun 2002 23:57:18 GMT

Hi,

How to disallow user to reuse their old password at least for a week before they can reuse back their old password.

I'm aware that there is a feature called "Minimum Time Between Password Changes" but this is not my Risk Assessor wants.

Thanks in advance,
YC

Re: How to disallow user to reuse their old password

Scott Van Kalken — Mon, 24 Jun 2002 00:24:54 GMT

There is a file called /etc/default/security.

It should be mode 444

if you add the line

PASSWORD_HISTORY_DEPTH=8

Then the previous 8 passwords are remembered.

Re: How to disallow user to reuse their old password

Michael Tully — Mon, 24 Jun 2002 00:26:10 GMT

Hi,

Here is some information from the Technical Knowledge Base. In conjunction with your trusted system, you need to set up a password history file which prevents a user from re-using their passwd for up to 10 times. This should fix your problem.

Cheers
Michael

Error in syslog. get_pwhist_config and default password history DocId: KBRC00000915 Updated: 2/9/00 10:36:50 AM

PROBLEM
Trusted system running 11.0. Started seeing the following message in
/var/adm/syslog/syslog.log:

Mar 2 08:17:26 husker syslog: get_pwhist_config: Can not open
/etc/default/security file. Default password history depth 1 is used.

What program runs this and what does it mean?

RESOLUTION
This is a relatively new feature on 11.0 systems. It is password history on a
trusted system.
Features
--------
Password history check of up to 10 passwords.
The system administrator can enable the password history feature to
discourage users from reusing previously used passwords. To enable the
password history feature, the system administrator should create a file
(or open the file if it already exists) named
/etc/default/security and append to it one line containing:
PASSWORD_HISTORY_DEPTH=number
The line contains three keywords: PASSWORD_HISTORY_DEPTH, =, and a
decimal number which is the desired depth for the password history check. If
the number is 2, the user's new password will be checked against two previously
used passwords. One is the current password, and the other one is the password
used before the current password. A configuration of password history depth of
2 prevents users from alternating between two passwords. The maximum
password history depth supported is 10 and the minimum password history
depth supported is 1. A depth configuration of more than 10 will be
treated as 10, and a depth configuration of less than 1 will be treated
as 1.
The password history depth configuration is on a system basis and is
supported in trusted system for users in files repository only. This
feature does not support the users in NIS or NISPLUS repositories. Once
the feature is enabled, all the users on the system are subject to the
same check. If the password history configuration file
/etc/default/security does not exist, or if the file exists but the
required line is missing, or if the line exists but any of the three
required keywords is missing, the password history check feature is
automatically disabled. When the feature is disabled, the password
history check depth is set to 1 and a password change is subject to all
of the other rules for a new password including a check with the current
password.

Re: How to disallow user to reuse their old password

yc_2 — Mon, 24 Jun 2002 01:26:02 GMT

Hi,

I tried with the suguestion by putting:
PASSWORD_HISTORY_DEPTH=1
in /etc/default/security file but it doestn't work.

With the above, I can reuse the password. Is there any patches need to apply ?

Rgds,
YC

Re: How to disallow user to reuse their old password

Michael Tully — Mon, 24 Jun 2002 01:45:21 GMT

Hi,

Yep looks like a problem, my test system has the same problem, but it should work. I'm going to look at some patches.

Michael

Re: How to disallow user to reuse their old password

Bill Hassell — Mon, 24 Jun 2002 01:46:08 GMT

This will not work on 10.20 or earlier, and your 11.0 or 11.11 system must be converted to a Trusted System for this feature to work.

Re: How to disallow user to reuse their old password

Michael Tully — Mon, 24 Jun 2002 01:49:55 GMT

On another system I don't have a problem. The test system I was using before is 10.20 which of course doesn't work. This is from a 11.00 system. These are the messages that are displayed with 'PASSWORD_HISTORY_DEPTH=2'
Your system *MUST* be set as trusted.

user@systemx:/home/user 285 $ passwd
Changing password for user
Old password:
Last successful password change for user: Mon Jun 24 12:56:35 2002
Last unsuccessful password change for user: NEVER

Do you want (choose one letter only):
pronounceable passwords generated for you (g)
a string of letters generated (l) ?
to pick your passwords (p) ?

Enter choice here: p
New password:
You may not re-use a previously used password.
New password:

Re: How to disallow user to reuse their old password

yc_2 — Mon, 24 Jun 2002 01:58:12 GMT

Hi,

It works only when the parameter is set top 2.

Thanks.
YC