On Tue, Dec 27, 2011 at 4:11 PM, Steven Bellovin <s...@cs.columbia.edu> wrote: >> Has anyone ever implemented a system to enforce non-similarity business >> rules?
Enforcing these rules with any regularity (ie not in response to a specific known breech) seems like its asking for trouble on the UX side of things. > Create a Bloom filter for passwords. When a password is set, create many > obvious variants -- ad a period, add a digit, increment a digit, etc. -- and > enter the whole set into the Bloom filter. At password change time, see if > the new password is in the Bloom filter. On a similar note without the possibility of false positives from Bloom Filters you can store a hash of the "normalized" password as well as the full password. The full password hash is what you use for authentication but you can normalize and check new passwords against the hashed normalized password. Note that both of our suggestions require knowing what "similar" is when the password is first stored. -- Eitan Adler _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
