On Sat, Dec 31, 2011 at 5:02 PM, Landon <ljrhur...@gmail.com> wrote: > > A lot of the password reuse is simply adding +1 or something on > the end. Since the base of the password stays the same, couldn't > you just hash the first and second halves of the new and old > passwords separately and compare each pair? (Or any arbitrary > length) Then if they match you can reject the password. > Sounds reasonable, but....
This utterly breaks security from offline attacks unless you double the length of the required password. Now, instead of brute-forcing 8 or 10ish character passwords, an attacker that obtained the hashes must only brute force two 4 or 5ish character sub-passwords - a much easier proposition. ---- -Michael Heyman _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
