[cryptography] Password non-similarity?

Randall Webmail rvh40 at insightbb.com
Fri Dec 30 20:40:17 EST 2011

From: Jeffrey Walton <noloader at gmail.com>
To: Randombit List <cryptography at randombit.net>
Sent: Tue, 27 Dec 2011 15:54:35 -0500 (EST)
Subject: [cryptography] Password non-similarity?

>Hi All,

>We're bouncing around ways to enforce non-similarity in passwords over
time: password1 is too similar too password2 (and similar to
password3, etc).

>I'm not sure its possible with one way functions and block cipher residues.

>Has anyone ever implemented a system to enforce non-similarity business rules?

You are going to run into massive resistance from the user base, almost all of whom have been told of the organization's "Change your password every X days" rule, and almost the same number of whom have been told "Just pick a password you'll remember, like your dog's name, and then when you have to change it, just add a 1 on the end."

More information about the cryptography mailing list