[cryptography] Password non-similarity?

mheyman at gmail.com mheyman at gmail.com
Thu Jan 5 08:10:57 EST 2012


On Sat, Dec 31, 2011 at 5:02 PM, Landon <ljrhurley at gmail.com> wrote:
>
> A lot of the password reuse is simply adding +1 or something on
> the end. Since the base of the password stays the same, couldn't
> you just hash the first and second halves of the new and old
> passwords separately and compare each pair? (Or any arbitrary
> length) Then if they match you can reject the password.
>
Sounds reasonable, but....

This utterly breaks security from offline attacks unless you double
the length of the required password. Now, instead of brute-forcing  8
or 10ish character passwords, an attacker that obtained the hashes
must only brute force two 4 or 5ish character sub-passwords - a much
easier proposition.
----
-Michael Heyman



More information about the cryptography mailing list