Path: utzoo!utgpu!water!watmath!clyde!att!ucbvax!XRT.UPENN.EDU!CLAYTON
From: CLAYTON@XRT.UPENN.EDU ("Clayton, Paul D.")
Newsgroups: comp.os.vms
Subject: Thoughts On Password Monitoring, And Re-Use Of Old Passwords...
Message-ID: <8807101955.AA16612@linc.cis.upenn.edu>
Date: 10 Jul 88 19:56:00 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 29


In response to the recent bout of messages on the changing of passwords and 
how to insure that users do not re-use passwords, I offer the following 
solution.

On the VAX87C SIG tape, in the directory, [VAX87C.EROS.PASS], there is a 
program already written which will maintain a history of passwords on an 
account basis. The length of time the history is kept is user selectable by 
processor. This program would be run each night, and it will check for a user 
that has changed his/her password and if it is now the same as a previous one 
for that user, over time duration (x). If it DOES match, the UAF record is set 
with PASSWORD EXPIRED, so that the next time the user logs into the account 
the password once again has to be changed. 

Note that this does NOT stop people from re-using the passwords, but I believe 
that they will get tired of entering new passwords and then this problem would 
be solved. Concurrent with the program implementation, it would speed up the 
acceptance of, and adherance to, this system if a policy is put forth stating 
the specific time frame, each day, that dead accounts will be re-enabled for 
the user.

Hope this helps.
pdc

Paul D. Clayton 
Address - CLAYTON%XRT@CIS.UPENN.EDU

Disclaimer:  All thoughts and statements here are my own and NOT those of my 
employer, and are also not based on, or contain, restricted information.