What's the best way to handle checking for a similar password?

IE. What would a possible algorithm be to generate the error "this password is too similar to one of your previous passwords"

I thought about adding the ascii value of each letter and then adding them and looking for at least a difference of X.

What methods have yall seen used for this?

TIA

I found this on another site.

http://forum.codecall.net/linux-unix...rd-change.html

Also this somewhere else.

http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html

I haven't tested either one.

Thanks!

Those don't seem to talk about similar passwords though.

Also I'm doing this in PHP.

Being able to do this would imply that you're actually saving users' passwords (instead of only their message digests), which is a terrible, terrible thing to do IMHO. Have you considered the dangers involved in this?

I would be saving old/dead passwords only.

Example, the user enters in his old password and new password twice. If the new password meets the guidelines, the old passwords are entered into a dead passwords tables, and an md5 is created and stored for new password, the new password is never stored, until it becomes a dead password and replaced with a new password.

The ascii values would be calculated within the script based on the initial user input and IMHO that would not cause a security risk.

So what we have here is, it better to have dead passwords (encrypted of course) vs. allowing the user to pick a similar password, which a lot of users will just add a 1 to the end of their password, then in 90 days change that to 2, then 3, then 4, etc.

Okay, but you're still giving attackers a treasure trove of information which they can use to conduct further attacks. This is especially true in today's world, where (as you've pointed out) users do the most ridiculous things with their passwords. By keeping old passwords around, you're increasing the risk for your users across multiple sites, not just yours (think about how users use similar or even equal passwords on different sites, for example). In any case, if you're hellbent on using this technique, perhaps you could have a look and see if the similar_text() and levenshtein() functions could be applied to meet your requirements?

1 members found this post helpful.

Thanks! I think it would be worth it in my case, I have strict password requirements to begin with, so the chance a lazy user already has a password that meets the requirements that he uses everywhere would be rare.

In this particular case, I'd argue that the latter - being able to pick a similar, strong password - is better. How are you going to keep the old passwords encrypted? (Where will the encryption key live? Point is: some part of your process is going to either have a key or an old password stored as cleartext.)

I would recommend making a MD5 hash of the plain text passwords and saving it in the database. The MD5 of a particular string is always the same. That way, you can hide the passwords and also can check if the new password resembles any of the older ones.

This link might give you a clue on how to do this http://php.net/manual/en/function.md5.php

Finally, passwords should never be stored as plain text, whether they are old or new.

Message digests (hash values) only let you know whether something is either the same or different. Therefore, their usefulness in this case (to find similar passwords) is practically void AFAICT, as determining similarity will require plaintext access to anything being compared against.

$oldpass1=md5("oldpass1");
$oldpass2=md5("oldpass2");
$oldpass3=md5("oldpass3");

Now, we have md5 of previous 3 passwords.

$newpass=md5("newpass");

Now we have the md5 of the new password.

if ($newpass == $oldpass1 || $newpass == $oldpass2 || $newpass == $oldpass3) {
echo "This password was used previously!"
}

Isn't this what the OP wants? (Excuse my PHP syntax which has gotten rust over 2 years).

Edit:
Sorry, didn't read the requirement well enough. Well, in this case, the only option is access to the plaintext passwords used previously. Maybe Base64 encoding can be used, which is a little better than keeping them plaintexted.

Addendum to my previous comments:

When a user wishes to change his password, make him enter the existing password and the new password (twice for confirmation) on the same form. Then you'll have both the existing password and the new candidate password in memory, so you can check for similarities at that time.

If password:n is sufficiently different than password:n+1, you can be "confident enough" that password:n is sufficiently different than password:n+5 (assuming your similar password checking algorithm is doing a decent job).

And, again, I question how much payoff there really is in forcing users to change to drastically different strong passwords at regular intervals. Seems like it's just begging for them to write it down on a monitor sticky.

In that scenario, wouldn't one be able to make n+2 the same as n given that n is sufficiently different from n+1? It certainly seems that way to me, which is why I'm respectfully disagreeing with your confidence claim.

2 members found this post helpful.

Yes, I see your point. Thanks for questioning my (questionable) hypothesis. That's why we have peer scrutiny.

password:n1 == foo57bar%
password:n2 == baz.^.boo.1
password:n3 == foo57bar%

Look in the man page for pam_pwcheck. It has many of the options you are looking for.

This page deals with how to use pam_pwcheck and pam_cracklib together.
http://www.novell.com/support/viewCo...4596&sliceId=1

Investigate whether opasswd only has a password added when a user makes a change, and if it is adequately encrypted. A person in the habit of making only a small change to an old password, may also be in the habit of modifying or reusing a password used elsewhere.