On Fri, Dec 30, 2011 at 8:40 PM, Randall Webmail <rv...@insightbb.com> wrote: > On Tue, 27 Dec 2011 15:54:35 -0500 (EST), Jeffrey Walton <noloa...@gmail.com> > wrote: >>Hi All, >> >>We're bouncing around ways to enforce non-similarity in passwords over >> time: password1 is too similar too password2 (and similar to >> password3, etc). >> >>I'm not sure its possible with one way functions and block cipher residues. >> >>Has anyone ever implemented a system to enforce non-similarity business rules? > > You are going to run into massive resistance from the user base, almost all > of whom have > been told of the organization's "Change your password every X days" rule, and > almost the > same number of whom have been told "Just pick a password you'll remember, > like your dog's name, > and then when you have to change it, just add a 1 on the end."
Boy, the latter sounds like advice that a black hat hacker would give someone to ensure simple dictionary attacks are successful. Your dog's name? Really??? -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
