Hi Badhri,
Have you considered certificate based authentication? This would
provide your
organization with complete oversight with respect to login operations
and ensure
that user password theft, loss or other negligence can be curtailed.
Given the *nix
nature of your application it should be easy to use SSL certs to
login, and by
setting up the terms of each certificate, you can also ensure other
user rights and/or
revocation of the same are managed through a similar certification
mechanism.
Just a few thoughts... google: TLS/SSL Authentication to see the
scope of work on
this methodology. I'm thinking it's a potentially a real winner. In
truly secure networks
passwords are the weakest link, and therefore, where we have a cost
effective
mechanism for the replacement of the weak link, it's well worthy of
the investigation.
Furthermore once certificates are implemented, they're easy to
manage, and you'll
generally have fewer help desk issues, as the login process can be
entirely automated
based on the existence of a certificate.
It's interesting to note that from a legal aspect, the use of
certificates also constitutes
a contractual mechanism whereby user/resource security can be better
protected
under IT or other Business policy.
My two cents.
Sean Swayze
info@pcsage.biz
On 18-Nov-05, at 1:01 AM, Badhrinath S wrote:
Hi all,
An application has been using PAM of unix till now for password
authentication.
This is a client server model where server uses a database for its
operations.
Now it has to manage the passwords by itself with following
constraints.
--> Check if password is not the same as previous 5 passwords set
--> Check if the password differs from old password by alteast 3
characters.
So, can you please give me suggestions to manage this effectively ?
--> Do I encrypt and save the previous 5 and the current passwords in
database or how can the passwords be stored better?
--> Can symmetric keys be used or will assymetric key usage be
better ?
--> How to decide upon the key values ?
Guess, Hashing will not be useful since we need to check for atleast 3
character change in passwords. Plz comment.
--
Thanks
Badhri
-------------------------------------------------------------------------
This List Sponsored by: Webroot
Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise
http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------
