[cryptography] Password non-similarity?

Steven Bellovin smb at cs.columbia.edu
Tue Dec 27 16:11:50 EST 2011


On Dec 27, 2011, at 3:54 PM, Jeffrey Walton wrote:

> Hi All,
> 
> We're bouncing around ways to enforce non-similarity in passwords over
> time: password1 is too similar too password2 (and similar to
> password3, etc).
> 
> I'm not sure its possible with one way functions and block cipher residues.
> 
> Has anyone ever implemented a system to enforce non-similarity business rules?


Create a Bloom filter for passwords.  When a password is set, create many
obvious variants -- ad a period, add a digit, increment a digit, etc. -- and
enter the whole set into the Bloom filter.  At password change time, see if
the new password is in the Bloom filter.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb








More information about the cryptography mailing list