[cryptography] Password non-similarity?

Landon ljrhurley at gmail.com
Sat Dec 31 17:02:20 EST 2011


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 A lot of the password reuse is simply adding +1 or something on the end. Since the base of the password stays the same, couldn't you just hash the first and second halves of the new and old passwords separately and compare each pair? (Or any arbitrary length) Then if they match you can reject the password. 

That way abcde5 and abcde6 would split into hashes of (abc) (de5) and (abc) (de6). Since abc would match the password and fail, and as long as you don't let anyone know why they fail, beyond being too similar to the old one, the passwords would be forced to be largely different just to authenticate a new one. Run it all client side so that it doesn't ever hit the servers, and only store the hashed password after it has been accepted as different enough. 

It would mean that anyone with a decent length pass that changes one character in either tail would be failed, but at least it would force enough change to obscure it.

Still doesn't mitigate keyloggers, but it does help with 1 & 2 when coupled with minimum password requirements. Of course, you could also run everything plaintext clientside to check for symbol and numbers, and skip the mess of hashes entirely.

Landon



John Levine <johnl at iecc.com> wrote:

>Passwords aren't dead, and despite what IBM says I don't think they're
>going away any time soon. But we need new rules and new guidelines
>for managing them; the ones from the 1980s don't work anymore.

Yeah. At this point the issues seem to be, in no particular order:

1. Trivially guessable passwords
2. Password reuse
3. Keyloggers and other password stealing software

The various risks depend a lot on the environment, e.g., what's
trivially guessable depends on how often you're allowed to guess.

R's,
John
_____________________________________________

cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

-----BEGIN PGP SIGNATURE----- Version: APG v1.0.8 iQJBBAEBCgArBQJO/4ZsJBxMYW5kb24gSHVybGV5IDxsanJodXJsZXlAZ21haWwu Y29tPgAKCRA3qYf9H1SVrEIOD/0VYiA1RoXvRJ9CsD6l/zBM2xWA9evjyQAiM2Y6 Txv/CsJLaEaYHPPzASegD8riARTJAAT0CUASWmd0unPSeDcSamp8ACgqGUml3S/o ozpC2IhBwJl040yLaHNzE4Km0EXmJeSHc+UbRMDlZAoxxtWCBw3J1yFzgfZJ2ccB pRASYswwLPBErp6kuqqjh8+yGTF3B7C707pBp27yzgqrncMkEEz8ghGkubRRr4ky 6pgWv6mF+y88u0fqdJIaQkJcWf0lNHf6dLNjStDX3oT1A1jxb7Cxx/DA8zyS4ZzL NauoNlsyInlWpbAs6NhOI8Fd3mSke8nV3tcZfvdYJQM9kocuEyj9cy9BU9wEQXXy jc+fpGem9mTNhF9UJFfn/I7UvWSlDbyRhnBFpgwdsHDpErSzid3kiM6CZdJQnyk/ oAsZN1dvlszBhNr+omHVy3QkgCLjhsnzV3TH7lqei2RylF6sdjcUyaV/qToBsJJF QtddVJq6vuJXLOzyaSxbJQlesJLx/QOKhAukjEe+icHksJNLiBMOhh8xFBJGkdeH W8Edt1qLmXxfGPND2Y1yGfazCTvm7m9fQkxvwQFlCyLRX+q6/0EPRNQul5GUZ9z6 eITlskDVKaqvpXHmymGgQZZ8XdmLrN4K38A6VS6hr8BV6DOozKn7kCbM25E9vEZG NYmcQQ== =6x3j -----END PGP SIGNATURE----- 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20111231/8549c591/attachment.html>


More information about the cryptography mailing list