[cryptography] Password non-similarity?

Kevin W. Wall kevin.w.wall at gmail.com
Fri Dec 30 20:56:11 EST 2011


On Fri, Dec 30, 2011 at 8:40 PM, Randall  Webmail <rvh40 at insightbb.com> wrote:
> On Tue, 27 Dec 2011 15:54:35 -0500 (EST), Jeffrey Walton <noloader at gmail.com> wrote:
>>Hi All,
>>
>>We're bouncing around ways to enforce non-similarity in passwords over
>> time: password1 is too similar too password2 (and similar to
>> password3, etc).
>>
>>I'm not sure its possible with one way functions and block cipher residues.
>>
>>Has anyone ever implemented a system to enforce non-similarity business rules?
>
> You are going to run into massive resistance from the user base, almost all of whom have
> been told of the organization's "Change your password every X days" rule, and almost the
> same number of whom have been told "Just pick a password you'll remember, like your dog's name,
> and then when you have to change it, just add a 1 on the end."

Boy, the latter sounds like advice that a black hat hacker would give someone to
ensure simple dictionary attacks are successful. Your dog's name? Really???

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein



More information about the cryptography mailing list