[cryptography] Password non-similarity?

mheyman at gmail.com mheyman at gmail.com
Thu Jan 5 08:10:57 EST 2012

On Sat, Dec 31, 2011 at 5:02 PM, Landon <ljrhurley at gmail.com> wrote:
> A lot of the password reuse is simply adding +1 or something on
> the end. Since the base of the password stays the same, couldn't
> you just hash the first and second halves of the new and old
> passwords separately and compare each pair? (Or any arbitrary
> length) Then if they match you can reject the password.
Sounds reasonable, but....

This utterly breaks security from offline attacks unless you double
the length of the required password. Now, instead of brute-forcing  8
or 10ish character passwords, an attacker that obtained the hashes
must only brute force two 4 or 5ish character sub-passwords - a much
easier proposition.
-Michael Heyman

More information about the cryptography mailing list