[cryptography] Password non-similarity?

Eitan Adler lists at eitanadler.com
Tue Dec 27 16:29:45 EST 2011

On Tue, Dec 27, 2011 at 4:11 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>> Has anyone ever implemented a system to enforce non-similarity business rules?

Enforcing these rules with any regularity (ie not in response to a
specific known breech) seems like its asking for trouble on the UX
side of things.

> Create a Bloom filter for passwords.  When a password is set, create many
> obvious variants -- ad a period, add a digit, increment a digit, etc. -- and
> enter the whole set into the Bloom filter.  At password change time, see if
> the new password is in the Bloom filter.

On a similar note without the possibility of false positives from
Bloom Filters you can store a hash of the "normalized" password as
well as the full password. The full password hash is what you use for
authentication but you can normalize and check new passwords against
the hashed normalized password.

Note that both of our suggestions require knowing what "similar" is
when the password is first stored.

Eitan Adler

More information about the cryptography mailing list