HPE Community
Operating System - HP-UX
1834470 Members
2904 Online
110067 Solutions
New Discussion

How to disallow user to reuse their old password

 
SOLVED
Go to solution
yc_2
Regular Advisor

‎06-23-2002 04:57 PM

‎06-23-2002 04:57 PM

How to disallow user to reuse their old password

Hi,

How to disallow user to reuse their old password at least for a week before they can reuse back their old password.

I'm aware that there is a feature called "Minimum Time Between Password Changes" but this is not my Risk Assessor wants.


Thanks in advance,
YC
0 Kudos
Reply
7 REPLIES 7
Scott Van Kalken
Esteemed Contributor

‎06-23-2002 05:24 PM

‎06-23-2002 05:24 PM

Re: How to disallow user to reuse their old password

There is a file called /etc/default/security.

It should be mode 444

if you add the line

PASSWORD_HISTORY_DEPTH=8

Then the previous 8 passwords are remembered.
0 Kudos
Reply
Michael Tully
Honored Contributor

‎06-23-2002 05:26 PM

‎06-23-2002 05:26 PM

Re: How to disallow user to reuse their old password

Hi,

Here is some information from the Technical Knowledge Base. In conjunction with your trusted system, you need to set up a password history file which prevents a user from re-using their passwd for up to 10 times. This should fix your problem.

Cheers
Michael

Error in syslog. get_pwhist_config and default password history DocId: KBRC00000915 Updated: 2/9/00 10:36:50 AM

PROBLEM
Trusted system running 11.0. Started seeing the following message in
/var/adm/syslog/syslog.log:

Mar 2 08:17:26 husker syslog: get_pwhist_config: Can not open
/etc/default/security file. Default password history depth 1 is used.

What program runs this and what does it mean?


RESOLUTION
This is a relatively new feature on 11.0 systems. It is password history on a
trusted system.
Features
--------
Password history check of up to 10 passwords.
The system administrator can enable the password history feature to
discourage users from reusing previously used passwords. To enable the
password history feature, the system administrator should create a file
(or open the file if it already exists) named
/etc/default/security and append to it one line containing:
PASSWORD_HISTORY_DEPTH=number
The line contains three keywords: PASSWORD_HISTORY_DEPTH, =, and a
decimal number which is the desired depth for the password history check. If
the number is 2, the user's new password will be checked against two previously
used passwords. One is the current password, and the other one is the password
used before the current password. A configuration of password history depth of
2 prevents users from alternating between two passwords. The maximum
password history depth supported is 10 and the minimum password history
depth supported is 1. A depth configuration of more than 10 will be
treated as 10, and a depth configuration of less than 1 will be treated
as 1.
The password history depth configuration is on a system basis and is
supported in trusted system for users in files repository only. This
feature does not support the users in NIS or NISPLUS repositories. Once
the feature is enabled, all the users on the system are subject to the
same check. If the password history configuration file
/etc/default/security does not exist, or if the file exists but the
required line is missing, or if the line exists but any of the three
required keywords is missing, the password history check feature is
automatically disabled. When the feature is disabled, the password
history check depth is set to 1 and a password change is subject to all
of the other rules for a new password including a check with the current
password.


Anyone for a Mutiny ?
0 Kudos
Reply
yc_2
Regular Advisor

‎06-23-2002 06:26 PM

‎06-23-2002 06:26 PM

Re: How to disallow user to reuse their old password

Hi,

I tried with the suguestion by putting:
PASSWORD_HISTORY_DEPTH=1
in /etc/default/security file but it doestn't work.

With the above, I can reuse the password. Is there any patches need to apply ?


Rgds,
YC
0 Kudos
Reply
Michael Tully
Honored Contributor

‎06-23-2002 06:45 PM

‎06-23-2002 06:45 PM

Re: How to disallow user to reuse their old password

Hi,

Yep looks like a problem, my test system has the same problem, but it should work. I'm going to look at some patches.

Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎06-23-2002 06:46 PM

‎06-23-2002 06:46 PM

Re: How to disallow user to reuse their old password

This will not work on 10.20 or earlier, and your 11.0 or 11.11 system must be converted to a Trusted System for this feature to work.


Bill Hassell, sysadmin
0 Kudos
Reply
Michael Tully
Honored Contributor

‎06-23-2002 06:49 PM

‎06-23-2002 06:49 PM

Solution

Re: How to disallow user to reuse their old password

On another system I don't have a problem. The test system I was using before is 10.20 which of course doesn't work. This is from a 11.00 system. These are the messages that are displayed with 'PASSWORD_HISTORY_DEPTH=2'
Your system *MUST* be set as trusted.

user@systemx:/home/user 285 $ passwd
Changing password for user
Old password:
Last successful password change for user: Mon Jun 24 12:56:35 2002
Last unsuccessful password change for user: NEVER

Do you want (choose one letter only):
pronounceable passwords generated for you (g)
a string of letters generated (l) ?
to pick your passwords (p) ?

Enter choice here: p
New password:
You may not re-use a previously used password.
New password:
Anyone for a Mutiny ?
Reply
yc_2
Regular Advisor

‎06-23-2002 06:58 PM

‎06-23-2002 06:58 PM

Re: How to disallow user to reuse their old password

Hi,

It works only when the parameter is set top 2.

Thanks.
YC
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.