-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 A lot of the password reuse is simply adding +1 or something on the end. Since the base of the password stays the same, couldn't you just hash the first and second halves of the new and old passwords separately and compare each pair? (Or any arbitrary length) Then if they match you can reject the password.
That way abcde5 and abcde6 would split into hashes of (abc) (de5) and (abc) (de6). Since abc would match the password and fail, and as long as you don't let anyone know why they fail, beyond being too similar to the old one, the passwords would be forced to be largely different just to authenticate a new one. Run it all client side so that it doesn't ever hit the servers, and only store the hashed password after it has been accepted as different enough. It would mean that anyone with a decent length pass that changes one character in either tail would be failed, but at least it would force enough change to obscure it. Still doesn't mitigate keyloggers, but it does help with 1 & 2 when coupled with minimum password requirements. Of course, you could also run everything plaintext clientside to check for symbol and numbers, and skip the mess of hashes entirely. Landon >John Levine <[email protected]> wrote: > >>Passwords aren't dead, and despite what IBM says I don't think they're >>going away any time soon. But we need new rules and new guidelines >>for managing them; the ones from the 1980s don't work anymore. > >Yeah. At this point the issues seem to be, in no particular order: > >1. Trivially guessable passwords >2. Password reuse >3. Keyloggers and other password stealing software > >The various risks depend a lot on the environment, e.g., what's >trivially guessable depends on how often you're allowed to guess. > >R's, >John >_____________________________________________ > >cryptography mailing list >[email protected] >http://lists.randombit.net/mailman/listinfo/cryptography -----BEGIN PGP SIGNATURE----- Version: APG v1.0.8 iQJBBAEBCgArBQJO/5elJBxMYW5kb24gSHVybGV5IDxsanJodXJsZXlAZ21haWwu Y29tPgAKCRA3qYf9H1SVrAbXEACIpqvXI6eP+fZIA7MES4nHnzWi/Za4NZfcdDIe ayhJ5QqBMrLwc7O4iKIKit+/ky/q/70LCc7nLl6MY0QQtc66ox4MQo3Ao6i82cSA d8fv2GAM1k9gvG1rSAaIxgStizRlE3pK8VZHa2COm0lO0Lym3cI5+FwvyHABEkaU OZb0fd8InzA5AlV2f8t778XPbR2N5fLni4Z0NNQ1K2Tebwxn6rmQeTAsyo6cOzLI 0KIbV2fCUIXDL1GSDzy/jufhwra45K3KmkC7//razlQGr7GyiFknULvvaOtD1Bs/ DtOBzSWpYWuEGJFWol0U1dvh5LukYeslnmuFzCAMb+Uuzgj1z7J6j57fqhAC65pP tWPmyDt7x5n8Oq6x5Dlf9DXizR+XD576b0u/OWiZkNvFwsPrxtB5nmrvhNOv65/6 OrJTZ1a32ptxR+WMS1VONL5D2qdocidK1F5pXFJj9wnVfydyF7Te6iFPJNu1Z+F4 i7W0xPr7lO1YuGxT/yOYNFUswgbYMgkTVP4bPO7i+SzPTjoOSCA7rWL2YR+jUlau 6AFOJMYKmdpdj3xBkfD78ry+NuPAIE8x0iKfqbY61stTIoegDuoNStGvyGStkXEa ZKGtRQXGtEJ9Nhu+Bu3KFIw5kk1a7m98iJZG23r1DsTjQ2jONPILqGOH69Km+gjT IDrxsw== =BK3D -----END PGP SIGNATURE-----
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
