I'm assuming that at password change new password policy evaluation time you have both, the old and new passwords, in which case you can use Optimal String Alignment Distance for at least that pair of passwords. If you have only one password you can try a cookbook of transformations that users might apply to their passwords, and then there's professor Bellovin's Bloom filter suggestion. If you have only a history of password hashes and no actual passwords and you want to determine similarity, well, you're fortunately out of luck.
Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
