[cryptography] Password non-similarity?

Landon ljrhurley at gmail.com
Sat Dec 31 18:15:49 EST 2011


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 
A lot of the password
reuse is simply adding +1 or something on the end. Since the base of
the password stays the same, couldn't you just hash the first and
second halves of the new and old passwords separately and compare each
pair? (Or any arbitrary length) Then if they match you can reject the
password. 

That way abcde5 and abcde6 would split into hashes of (abc) (de5) and
(abc) (de6). Since abc would match the password and fail, and as long
as you don't let anyone know why they fail, beyond being too similar to
the old one, the passwords would be forced to be largely different just
to authenticate a new one. Run it all client side so that it doesn't
ever hit the servers, and only store the hashed password after it has
been accepted as different enough. 

It would mean that anyone with a decent length pass that changes one
character in either tail would be failed, but at least it would force
enough change to obscure it.

Still doesn't mitigate keyloggers, but it does help with 1 & 2 when
coupled with minimum password requirements. Of course, you could also
run everything plaintext clientside to check for symbol and numbers,
and skip the mess of hashes entirely.

Landon



>John Levine <johnl at iecc.com> wrote:
>
>>Passwords aren't dead, and despite what IBM says I don't think they're
>>going away any time soon. But we need new rules and new guidelines
>>for managing them; the ones from the 1980s don't work anymore.
>
>Yeah. At this point the issues seem to be, in no particular order:
>
>1. Trivially guessable passwords
>2. Password reuse
>3. Keyloggers and other password stealing software
>
>The various risks depend a lot on the environment, e.g., what's
>trivially guessable depends on how often you're allowed to guess.
>
>R's,
>John
>_____________________________________________
>
>cryptography mailing list
>cryptography at randombit.net
>http://lists.randombit.net/mailman/listinfo/cryptography

-----BEGIN PGP SIGNATURE----- Version: APG v1.0.8 iQJBBAEBCgArBQJO/5elJBxMYW5kb24gSHVybGV5IDxsanJodXJsZXlAZ21haWwu Y29tPgAKCRA3qYf9H1SVrAbXEACIpqvXI6eP+fZIA7MES4nHnzWi/Za4NZfcdDIe ayhJ5QqBMrLwc7O4iKIKit+/ky/q/70LCc7nLl6MY0QQtc66ox4MQo3Ao6i82cSA d8fv2GAM1k9gvG1rSAaIxgStizRlE3pK8VZHa2COm0lO0Lym3cI5+FwvyHABEkaU OZb0fd8InzA5AlV2f8t778XPbR2N5fLni4Z0NNQ1K2Tebwxn6rmQeTAsyo6cOzLI 0KIbV2fCUIXDL1GSDzy/jufhwra45K3KmkC7//razlQGr7GyiFknULvvaOtD1Bs/ DtOBzSWpYWuEGJFWol0U1dvh5LukYeslnmuFzCAMb+Uuzgj1z7J6j57fqhAC65pP tWPmyDt7x5n8Oq6x5Dlf9DXizR+XD576b0u/OWiZkNvFwsPrxtB5nmrvhNOv65/6 OrJTZ1a32ptxR+WMS1VONL5D2qdocidK1F5pXFJj9wnVfydyF7Te6iFPJNu1Z+F4 i7W0xPr7lO1YuGxT/yOYNFUswgbYMgkTVP4bPO7i+SzPTjoOSCA7rWL2YR+jUlau 6AFOJMYKmdpdj3xBkfD78ry+NuPAIE8x0iKfqbY61stTIoegDuoNStGvyGStkXEa ZKGtRQXGtEJ9Nhu+Bu3KFIw5kk1a7m98iJZG23r1DsTjQ2jONPILqGOH69Km+gjT IDrxsw== =BK3D -----END PGP SIGNATURE----- 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20111231/9cbf6cdd/attachment.html>


More information about the cryptography mailing list