in reply to Re: Basic password checking
in thread Basic password checking

you accept a1@a1@ba1@a1@, but reject a1@a1@ba1@a1@b

Yes, unfortunately

IMO, if you want to do something with the repeatedness, you should only test the first N characters, where N is minimum amount of characters allowed.

I don't agree. In fact, if you use ba1@a1@a1@a1@b you are stuck again with the same problem: the password is full of similar characters, but... acceptable. To make things work better you could check all N-wide windows of the password for repetitions (that is, for N=6, ba1@a1, a1@a1@, 1@a1@a...). So if password is M > N long, you should check the M-N N-wide sections of the passwords, or, better and safer, the first N characters of each of the M rotations of the password itself...

Would it be computationally affordable? Should check...

Ciao!
--bronto

The very nature of Perl to be like natural language--inconsistant and full of dwim and special cases--makes it impossible to know it all without simply memorizing the documentation (which is not complete or totally correct anyway).
--John M. Dlugosz

Replies are listed 'Best First'.
Re: Basic password checking
by Abigail-II (Bishop) on Jul 30, 2003 at 13:59 UTC
    I don't agree. In fact, if you use ba1@a1@a1@a1@b you are stuck again with the same problem: the password is full of similar characters, but... acceptable.

    Yes, and? Because you already accept passwords with only N characters, you shouldn't reject a password of N + k characters because there's repetition in the final k characters. If it's ok for the final k characters to not be there, they can't make it easier to guess the password if they are there.

    If ba1@a1 doesn't contain too much repetition, and hence is save, then ba1@a1@a1@a1@b should be save too. I mean, it doesn't get easier to break in your house if you add a lock on your door, even if that lock uses the same key as one of your other locks? It may not contribute much, but it doesn't make it go from save to unsave.

    Abigail

[reply]

      Wow! After discussing your point of view with a System Administrator friend of mine (in Italian, that made things far easier to understand), I finally get your point!

      What my friend said to make me understand your point was:

      se la lunghezza minima della password è 6, il tuo livello di sicurezza č quello dato dalle password di lunghezza 6, non da quelle più lunghe; quelle pių lunghe aggiungono qualcosa in più, ma la sicurezza dipende da quanto sono sicure le password più corte

      that put in English sounds like: if the minimal length for your passwords is 6, then your security level is the one that 6-character long passwords give, not the one given by longer passwords; longer passwords add something more, but security depends on how secure are the shortest passwords allowed.

      So, actually, if the minimal length allowed for a password is N and we have an M>N password, it should be considered secure if we can find at least one secure N-subset of it. Right?

      Thanks for pointing me to the right direction, and since I am here I'd add a new question

      How much strength would add to the algorithm, without complicating it too much, to impose that an M-character long password should contain p*M different symbols (e.g.: p=2/3)?

      Ciao!
      --bronto

      The very nature of Perl to be like natural language--inconsistant and full of dwim and special cases--makes it impossible to know it all without simply memorizing the documentation (which is not complete or totally correct anyway).
      --John M. Dlugosz
[reply]

In Section Cool Uses for Perl