regex in password changing

jcpunk has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: regex in password changing by Abigail-II (Bishop) on Jun 27, 2003 at 15:14 UTC
`my $old = "......"; my $new = "......"; my $diff = $old ^ $new; my $cnt = $diff =~ y/\0//cd;` [download] Now `$cnt` holds the amount of character by character differences. Abigail	[reply] [d/l]
Re: Re: regex in password changing by jcpunk (Friar) on Jun 27, 2003 at 15:19 UTC
thank you very much for that bit of code jcpunk by the way thanks for all the help that was, is, and will be	[reply]
Re: regex in password changing by ViceRaid (Chaplain) on Jun 27, 2003 at 15:26 UTC
You might be interested in the Text::Levenshtein modules which supply an algorithm for measuring the similarity between two words. From the Pod: `use Text::Levenshtein qw(distance); print distance("foo","four"); # prints "2"` [download] It prints "2" because it takes 1 change ('o' -> 'u') and 1 addition ('r') to change 'foo' into 'four'. This would help you catch people trying to change their passwords just by adding an extra character on the end, like 'password' -> 'passwordX'. HTH ViceRaid (Though I like Abigail's suggestion above a great deal, and had never realised you could do that. Thanks.)	[reply] [d/l]
Re: regex in password changing (tye) by tye (Sage) on Jun 27, 2003 at 17:41 UTC
I'd rather err on the side of disallowing more things than, for example, allowing a change from "hello" to "shello" (which only has one character the same according to Abigail's test) or from "super" to "repus" (a simple reversing that even Text::Levenshtein would say requires quite a few substitutions): `my $count = () = $new =~ /[^\Q$old\E]/g;` [download] This sets $count to the number of characters in the new password that were nowhere in the old password. - tye	[reply] [d/l]
Re: regex in password changing by cfreak (Chaplain) on Jun 27, 2003 at 15:28 UTC
Wow. That is tough. ~~I don't think a regex would solve it though.~~ Update: as shown above regex will work :) This seems to work: `#!/usr/bin/perl use strict; my ($pass1,$pass2) = @ARGV; my $diff = 0; for(0 .. length($pass1)) { $diff ++ unless substr($pass1,$_,1) eq substr($pass2,$_,1); } if($diff < 3) { print "not okay\n"; } else { print "Okay\n"; }` [download] Lobster Aliens Are attacking the world!	[reply] [d/l]
Re: regex in password changing by CountZero (Bishop) on Jun 27, 2003 at 15:47 UTC
No need to use a regex. If the difference in length between both passwords is 3 or more, you already have your 3 character difference. Otherwise check the first character of the shorter string against the first character of the longer string, do the same with the second, third, ... characters, adding one to the difference in length between two passwords: as soon as your sum is three, the new password is OK. If you run out of characters and still the sum is less than three, the new password is wrong. However, if you simply add one new character to the beginning of the old password to make a new password, this algoritm will say this is OK and that is perhaps not what you are looking for. If that is indeed the case, do the following: tally the different characters of each password in a hash for each password (the key being the character, the value being the number of times this character appears in the password). Then take the absolute difference between the value of each key in the hash, compared to the same key in the other hash. (you have to make certain that both hashes have the same keys, so you may have to add keys with value zero for characters which appear in one password but not in the other). Sum these absolute differences. If it is less than three, the new password is not OK, otherwise it is. CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law	[reply]