dahls%vax.elab.unit.uninett@TOR.NTA.NO (Joern Yngve Dahl-Stamnes) (07/05/88)
Hello I am writing a program that will check if a user have changed his/her password from AAA to BBB and back to AAA. A lot of users do this, and it is not very secure. My idea was to write a program that check if the user have changed the password since last check, and if so, check if the new hashed password value is in a table. The table contain a list of the last 20 (or more) hashed password value, one table for each user on the system. If the new hashed password is in the table, then the user must change the password again - and this is my problem. The only way I found so far, is to set the bit UAI$V_PWD_EXPIRED in the field UAI$_FLAGS. It works, but the result of doing this is that every user that do this nasty thing (using his/her old password) are running in and out of my office, and *that* was not my idea. Does anyone know how to force the user to change the password next time he/she log on the system? If I got this program to work and if anyone out there would like a copy of it, I will send it to the list. +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | The University of Trondheim | Joern Yngve Dahl-Stamnes | | The Norwegian Institute of Technology | System Manager | | Division of Physical Electronics | | | N 7034 Trondheim, Norway | "Me God you user" | |---------------------------------------+---------------------------| | dahls%vax.elab.unit.uninett@tor.nta.no | | PSI%02422530001005::DAHLS | | Un*ix - the greates implementation of Murphy's laws | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
LEICHTER@VENUS.YCC.YALE.EDU ("Jerry Leichter ", LEICHTER-JERRY@CS.YALE.EDU) (07/07/88)
I am writing a program that will check if a user have changed his/her password from AAA to BBB and back to AAA. A lot of users do this, and it is not very secure. My idea was to write a program that check if the user have changed the password since last check, and if so, check if the new hashed password value is in a table. The table contain a list of the last 20 (or more) hashed password value, one table for each user on the system. If the new hashed password is in the table, then the user must change the password again - and this is my problem. The only way I found so far, is to set the bit UAI$V_PWD_EXPIRED in the field UAI$_FLAGS. It works, but the result of doing this is that every user that do this nasty thing (using his/her old password) are running in and out of my office, and *that* was not my idea. Does anyone know how to force the user to change the password next time he/she log on the system? If I got this program to work and if anyone out there would like a copy of it, I will send it to the list. Try setting the password expiration time to some time in the past. BUT...please don't do what you are talking about doing. It's the typical techie fix for a people problem, and it won't work. In fact, it'll probably make things worse: Have a machine force people to do something they don't think is important - it makes NO difference what YOU think is important - will simply encourage them to find ways of fooling the machine. The classic story along this line is of the guy who found a quick way to come up with the required new password every month: He just used the name of the month. He was so proud of his new technique that he told everyone in the office about it - and they started doing the same thing. Fix the system to reject month names or words in the dictionary and people will use "month name followed by X". Force them to use a password generator every month and they'll write the password on their blackboard. (The ones who are "security concious" will write it on a piece of paper hidden in a desk drawer.) Education is the ONLY reliable way to increase system security. Understand what you are trying to accomplish, and whay, and make sure your users under- stand it, too. Then they and you will be on the same side, rather than fighting. Get into a fight with your users, and I can absolutely predict who will win in the long run. Hint: It won't be you. -- Jerry
carl@CITHEX.CALTECH.EDU (Carl J Lydick) (07/08/88)
> I am writing a program that will check if a user have changed his/her password > from AAA to BBB and back to AAA. A lot of users do this, and it is not very > secure. My idea was to write a program that check if the user have changed the > password since last check, and if so, check if the new hashed password value > is in a table. The table contain a list of the last 20 (or more) hashed > password value, one table for each user on the system. If the new hashed > password is in the table, then the user must change the password again - and > this is my problem. The only way I found so far, is to set the bit > UAI$V_PWD_EXPIRED in the field UAI$_FLAGS. It works, but the result of doing > this is that every user that do this nasty thing (using his/her old password) > are running in and out of my office, and *that* was not my idea. > > Does anyone know how to force the user to change the password next time he/she > log on the system? If I got this program to work and if anyone out there > would like a copy of it, I will send it to the list. By comparing the UAF records for an account before and after using AUTHORIZE to set the account /PWDEXP, I've found that setting it /PWDEXP causes the longword at offset %x17C in the record to be set to %xFFFFFFFF. I THINK this is the high longword of the UAI$_PWD_DATE field. Note than when an account is set /PWDEXP this shows up in AUTHORIZE as Pwdchange: (pre-expired) (that's why I think this is the high-order longword in UAI$_PWD_DATE). Hope this helps.
IMHW400@INDYVAX.BITNET (07/08/88)
I am not *certain* as to how LOGINOUT implements the last-chance password expiry message, but have you tried setting the password expiration time to some point in the past? I believe that if the password date has passed, but the password-expired bit is not set, LOGINOUT will give the user that message about "your password has expired, change it before you log out!" and set the expired bit. Try it and see! For now, the only way I can think of to FORCE a password change, is to run a program from SYLOGIN that checks for the expired bit and spawns a SET PASSWORD command if set. Or, if you can wait until VMS V5.0, I am told that forcing a change will be a standard option in that version. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Mark H. Wood IMHW400@INDYVAX.BITNET (317)274-0749 III U U PPPP U U III Indiana University - Purdue University at Indianapolis I U U P P U U I 799 West Michigan Street, ET 1023 I U U PPPP U U I Indianapolis, IN 46202 USA I U U P U U I [@disclaimer@] III UUU P UUU III
ockenden@prlhp1.prl.philips.co.uk (Paul T Ockenden) (07/11/88)
In article <165*dahls@vax.elab.unit.uninett> dahls%vax.elab.unit.uninett@TOR.NTA.NO (Joern Yngve Dahl-Stamnes) writes: >I am writing a program that will check if a user have changed his/her password >from AAA to BBB and back to AAA. > >Does anyone know how to force the user to change the password next time he/she >log on the system? If I got this program to work and if anyone out there >would like a copy of it, I will send it to the list. > There was a proggy such as this on one of the DECUS sig tapes - I think it might have been one of the 85 tapes ???? -- Paul Ockenden Philips Radiotheapy Systems, Crawley, UK +44 293 28787 x 4349 UUCP - uunet!mcvax!ukc!prlhp1!ockenden JANET - ockenden%prlhp1@uk.ac.Ukc Opions (where expressed), are those of Paul Ockenden the individual, NOT Paul Ockenden the Philips Employee !!
SYSJAMIE@utorphys.BITNET (James MacEwan) (07/14/88)
there is a program that does your password checking
(to prevent users passwords doing aaa --> bbb --> aaa)
in the anaheim decus tapes.
Jamie.