Path: utzoo!utgpu!water!watmath!clyde!att!rutgers!mailrus!ames!pasteur!ucbvax!VENUS.YCC.YALE.EDU!LEICHTER
From: LEICHTER@VENUS.YCC.YALE.EDU ("Jerry Leichter ", LEICHTER-JERRY@CS.YALE.EDU)
Newsgroups: comp.os.vms
Subject: re: authorize question
Message-ID: <8807101119.AA23835@ucbvax.Berkeley.EDU>
Date: 7 Jul 88 16:27:00 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 45


	I am writing a program that will check if a user have changed his/her
	password from AAA to BBB and back to AAA. A lot of users do this, and
	it is not very secure. My idea was to write a program that check if
	the user have changed the password since last check, and if so, check
	if the new hashed password value is in a table. The table contain a
	list of the last 20 (or more) hashed password value, one table for
	each user on the system. If the new hashed password is in the table,
	then the user must change the password again - and this is my problem.
	The only way I found so far, is to set the bit UAI$V_PWD_EXPIRED in
	the field UAI$_FLAGS. It works, but the result of doing this is that
	every user that do this nasty thing (using his/her old password) are
	running in and out of my office, and *that* was not my idea.

	Does anyone know how to force the user to change the password next
	time he/she log on the system? If I got this program to work and if
	anyone out there would like a copy of it, I will send it to the list.

Try setting the password expiration time to some time in the past.

BUT...please don't do what you are talking about doing.  It's the typical
techie fix for a people problem, and it won't work.  In fact, it'll probably
make things worse:  Have a machine force people to do something they don't
think is important - it makes NO difference what YOU think is important - will
simply encourage them to find ways of fooling the machine.  The classic story
along this line is of the guy who found a quick way to come up with the
required new password every month:  He just used the name of the month.  He
was so proud of his new technique that he told everyone in the office about
it - and they started doing the same thing.

Fix the system to reject month names or words in the dictionary and people
will use "month name followed by X".  Force them to use a password generator
every month and they'll write the password on their blackboard.  (The ones
who are "security concious" will write it on a piece of paper hidden in a
desk drawer.)

Education is the ONLY reliable way to increase system security.  Understand
what you are trying to accomplish, and whay, and make sure your users under-
stand it, too.  Then they and you will be on the same side, rather than
fighting.

Get into a fight with your users, and I can absolutely predict who will win
in the long run.  Hint:  It won't be you.

							-- Jerry