[cryptography] Password non-similarity?
Kevin W. Wall
kevin.w.wall at gmail.com
Fri Dec 30 20:56:11 EST 2011
On Fri, Dec 30, 2011 at 8:40 PM, Randall Webmail <rvh40 at insightbb.com> wrote:
> On Tue, 27 Dec 2011 15:54:35 -0500 (EST), Jeffrey Walton <noloader at gmail.com> wrote:
>>We're bouncing around ways to enforce non-similarity in passwords over
>> time: password1 is too similar too password2 (and similar to
>> password3, etc).
>>I'm not sure its possible with one way functions and block cipher residues.
>>Has anyone ever implemented a system to enforce non-similarity business rules?
> You are going to run into massive resistance from the user base, almost all of whom have
> been told of the organization's "Change your password every X days" rule, and almost the
> same number of whom have been told "Just pick a password you'll remember, like your dog's name,
> and then when you have to change it, just add a 1 on the end."
Boy, the latter sounds like advice that a black hat hacker would give someone to
ensure simple dictionary attacks are successful. Your dog's name? Really???
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents." -- Nathaniel Borenstein
More information about the cryptography