Path: utzoo!utgpu!water!watmath!clyde!att!ucbvax!XRT.UPENN.EDU!CLAYTON From: CLAYTON@XRT.UPENN.EDU ("Clayton, Paul D.") Newsgroups: comp.os.vms Subject: Thoughts On Password Monitoring, And Re-Use Of Old Passwords... Message-ID: <8807101955.AA16612@linc.cis.upenn.edu> Date: 10 Jul 88 19:56:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 29 In response to the recent bout of messages on the changing of passwords and how to insure that users do not re-use passwords, I offer the following solution. On the VAX87C SIG tape, in the directory, [VAX87C.EROS.PASS], there is a program already written which will maintain a history of passwords on an account basis. The length of time the history is kept is user selectable by processor. This program would be run each night, and it will check for a user that has changed his/her password and if it is now the same as a previous one for that user, over time duration (x). If it DOES match, the UAF record is set with PASSWORD EXPIRED, so that the next time the user logs into the account the password once again has to be changed. Note that this does NOT stop people from re-using the passwords, but I believe that they will get tired of entering new passwords and then this problem would be solved. Concurrent with the program implementation, it would speed up the acceptance of, and adherance to, this system if a policy is put forth stating the specific time frame, each day, that dead accounts will be re-enabled for the user. Hope this helps. pdc Paul D. Clayton Address - CLAYTON%XRT@CIS.UPENN.EDU Disclaimer: All thoughts and statements here are my own and NOT those of my employer, and are also not based on, or contain, restricted information.