How does “your new password must differ at least n characters from the previous” work when only hash codes are stored

hashpasswordpassword-managementpassword-policy

I am wondering how the password policy "your new password must differ at least n characters from your old password" works.

My understanding is that the OS never actually stores the old passwords themselves, but their hash codes instead. And there is no way of knowing in how many characters the two strings differ if you have only their hash codes.

Am I right in the guess that it can work only if the passwd program asks you explicitly at the same time also for your old password?

And is the consequence that if a root user changes someone else's password, the "number of different characters" policy simply cannot be applied here?

Best Answer

Such policies are usually implemented by applying them when asking for the old password.

Another option would be to brute-force the old one. When you input your new one, a modern computer has no problem to brute-force all passwords which differ by 2 characters from the new one. As far as I know this is not used in the normal authentication in typical linux distributions but possible some PAM modules implement this.

The usual approach for root changing passwords is to assume that the superuser know's what he's doing. The passwd program does not ask for the old password and allows you to override rules like a minimum length at your own risk.

Related Solutions

Security – HOWTO: Disable complex password policy on Hyper-V Server 2008

You can export security settings with:

secedit /export /cfg X:\new.cfg

Then you edit new.cfg (it is ini format) and change line "PasswordComplexity = 1" to "PasswordComplexity = 0". Apply it on Hyper-V server with:

secedit /configure /db C:\Windows\security\new.sdb /cfg X:\new.cfg /areas SECURITYPOLICY

You can find more details in this blog post.

How to logon to a user account on a domain without destroying user password

Imho - The best solution would be to use a client management tool that allows you to remotely overtake a running user session for the time of fixing the tech problem (*).

You would call the user first, and ask him/her to make sure to close all open programs/windows that may underly restrictive access limitations by company laws, plus - if private usage of the company computers is allowed - to close all programs/windows that may be related to that. Furthermore, the management tool will inform your user about your takeover by a message like: "Do you want to allow admin-xyz to gain control over your desktop?", and the user needs to Ok that. Another good thing about that kind of software is, that the user can see what you are doing on its machine. Much more transparent than 'fixing things in the dark'.

I also totally agree to nhinkle's comment - do not ask your users for their passwords! One thing is the mentioned social engineering factor, the other one is that you need to protect yourself from heart attacks by knowing to what kind of amazing passwords your users rely to..

iDesktop, TightVNC, TeamViewer, Landesk, etc..

Best Answer

Related Solutions

Security – HOWTO: Disable complex password policy on Hyper-V Server 2008

How to logon to a user account on a domain without destroying user password

Related Topic