The other day when changing my password on a Solaris 10 system I was surprised t

Question

The other day when changing my password on a Solaris 10 system I was surprised that Solaris was able to detect that I hadn't changed enough characters between the new and current passwords.

MINDIFF is the password security configuration parameter that specifies the minimum number of characters that need to be different between the current and new password when the password is being changed.

I'm pretty sure that Solaris is using one-way hashes to protect the secrecy of the plain-text password.

That got me thinking, how can Solaris (or any system) detect which characters have changed between passwords if it is using a one-way hash to validate passwords?

Explanation / Answer

When only using one-way hashing, is it possible to tell the number of characters changed between the old and new password?

No. If the hash function is strong, even a single bit change will give a completely different hash.

The only way to tell how many characters differ between a particular unknown hash value and a known password would be an exhaustive search, which might be possible for determining e.g. that more than one character must differ, but not in general.

That got me thinking, how can Solaris (or any system) detect which characters have changed between passwords if it is using a one-way hash to validate passwords?

Most likely answer: it asks for both your old password and the new when changing passwords, and can compare them at will.

Alternatively: it stores something other than just a hash (e.g. an encrypted password) that does allow comparisons. You should suspect this if a system has rules that concern more than one previous password. That is not a secure way to store passwords.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.