Path: utzoo!utgpu!water!watmath!clyde!att!rutgers!mailrus!ames!pasteur!ucbvax!VENUS.YCC.YALE.EDU!LEICHTER From: LEICHTER@VENUS.YCC.YALE.EDU ("Jerry Leichter ", LEICHTER-JERRY@CS.YALE.EDU) Newsgroups: comp.os.vms Subject: re: authorize question Message-ID: <8807101119.AA23835@ucbvax.Berkeley.EDU> Date: 7 Jul 88 16:27:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 45 I am writing a program that will check if a user have changed his/her password from AAA to BBB and back to AAA. A lot of users do this, and it is not very secure. My idea was to write a program that check if the user have changed the password since last check, and if so, check if the new hashed password value is in a table. The table contain a list of the last 20 (or more) hashed password value, one table for each user on the system. If the new hashed password is in the table, then the user must change the password again - and this is my problem. The only way I found so far, is to set the bit UAI$V_PWD_EXPIRED in the field UAI$_FLAGS. It works, but the result of doing this is that every user that do this nasty thing (using his/her old password) are running in and out of my office, and *that* was not my idea. Does anyone know how to force the user to change the password next time he/she log on the system? If I got this program to work and if anyone out there would like a copy of it, I will send it to the list. Try setting the password expiration time to some time in the past. BUT...please don't do what you are talking about doing. It's the typical techie fix for a people problem, and it won't work. In fact, it'll probably make things worse: Have a machine force people to do something they don't think is important - it makes NO difference what YOU think is important - will simply encourage them to find ways of fooling the machine. The classic story along this line is of the guy who found a quick way to come up with the required new password every month: He just used the name of the month. He was so proud of his new technique that he told everyone in the office about it - and they started doing the same thing. Fix the system to reject month names or words in the dictionary and people will use "month name followed by X". Force them to use a password generator every month and they'll write the password on their blackboard. (The ones who are "security concious" will write it on a piece of paper hidden in a desk drawer.) Education is the ONLY reliable way to increase system security. Understand what you are trying to accomplish, and whay, and make sure your users under- stand it, too. Then they and you will be on the same side, rather than fighting. Get into a fight with your users, and I can absolutely predict who will win in the long run. Hint: It won't be you. -- Jerry