in reply to Minimal password checking: a summary

It looks like it will let pass your username with some disguise:

my $doubt= 'br0n7o1.';  #  (also 8r0n7o1.) reads bronto1.
is($ok,passcheck($username, $doubt, @userinfo), "$doubt is good");

[download]

Perhaps you should do some minimal conversion before checking for personal info, such as  tr/128075/izbots/.

Replies are listed 'Best First'.
Re: Re: Minimal password checking: a summary
by bronto (Priest) on Jul 30, 2003 at 08:57 UTC

    Yesterday night I worked on your suggestion: unfortunately there are many symbols that cannot be mapped uniquely; for example the number 1 could well be mapped to 'l' and 'i' and 'I'; the same holds for other symbols that could be mapped to more than one letter. Taking each and every possibile combination could take a lot of time, and you are always leaving something out.

    That's why I chose not to implement it even in a simple form. But if you have some efficient code that takes into account the special cases, you are welcome :-)

    Ciao!
    --bronto

    The very nature of Perl to be like natural language--inconsistant and full of dwim and special cases--makes it impossible to know it all without simply memorizing the documentation (which is not complete or totally correct anyway).
    --John M. Dlugosz
[reply]

      There is a simple way. Instead of checking if a password looks like a username, you can first translate the username into this sort of "code" and then check if they look the same. Something along the lines of

      my %codes = (
  l => 1, L => 1,
  i => 1, I => 1,
  z => 2, Z => 2,
  e => 3, E => 3,
  h => 4, H => 4,
  s => 5, S => 5,
  G => 6, g => 9,
  t => 7, T => 7,
  b => 8, B => 8,
  o => 0, O => 0
  );
my $user = 'pileofdung';
my $translated;

for (split //, $user) {
    $translated .= (defined $codes{$_}) ?  $codes{$_} : $_;
}

print $translated,$/; # p1130fdun9

my $password = 'p113.0f.dun9%';

my $match =0;
for (split //, $translated) {
    $match++  if $password =~ /$_/
}
print "they match\n" if $match >= length($password) -2;
# you can choose how lax you want to be by
# setting an appropriate number of characters that
# you want to be different between username and password
# in this case if all but 2 characters are the same, it
# is a bad password

      [download]

      Of course, you can use any other comparing methods, but just to give you some ideas to play with.

[reply]
[d/l]

        You are still assuming that a unique mapping is possible, but it isn't.

        I investigated a little about what symbols and numbers people use to substitute to alphabetic characters, and I had this table:

        a/A: @,4
b/B: 6,8,&
d/D: 0
e/E: 3,&
f/F: #
g/G: 9
h/H" #
i/I: 1,l
j/J: 1
l/L: 1
o/O: 0
p/P: 9
q/Q: 9
s/S: $,5
t/T: +
z/Z: 2,7,%

        [download]

        As you can see, a single letter can map to three characters, and a single symbol can map to many characters...

        A solution could be a junction, but we are speaking about Perl 5, and junctions will come with Perl 6... Any Perl 5 solution of this problem?

        Ciao!
        --bronto

        The very nature of Perl to be like natural language--inconsistant and full of dwim and special cases--makes it impossible to know it all without simply memorizing the documentation (which is not complete or totally correct anyway).
        --John M. Dlugosz
[reply]
[d/l]

In Section Seekers of Perl Wisdom