Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Password strength check: comparing to previous passwords

Every now and then I come across applications that force you to change passwords once in a while. Almost universally, they have this strange requirement for the new password: it has to be "significantly" different from your previous password(s).

While at first this sounds logical, next thing I think is: how do they do that? Do they store my passwords in plain text? I would have accepted the answer that they do, if it wasn't for the fact that these are kinds of applications that pretend to care about security so much they force you to change your password if it is expired! Microsoft Exchange is one example of this.

I'm not very good at cryptography and hash functions, so my question is this: Is it possible to enforce this kind of policy without storing passwords in plain text?

Do you know how this policy is implemented in real world applications?

UPDATE: An Example. I was recently changing my Microsoft Exchange password. I only use Web Access, so it might be different a little -- I have no idea. So, it forces me to change my password. What I do sometimes is I change it to something new and then change it back almost immediately. The freaky part is that It did not allow me to even change it back because of this. I tried changing it a little, by adding a letter in front of it or changing one symbol -- no luck, it was complaining.

like image 616
Maxim Sloyko Avatar asked Jun 04 '11 11:06

Maxim Sloyko


People also ask

What determines the strength of a password?

Two factors determine a password's strength: length and complexity. A password's length is determined by the number of characters in the password. For example, the password asdf1234 has a length of eight characters. Most cPanel & WHM passwords require a minimum password length.

Which is more effective password strength password or password complexity?

According to guidance offered by the National Institute of Standards and Technology (NIST), password length is more important than password complexity. This actually makes a lot of sense as longer passphrases take longer to crack, and they are easier to remember than a string of meaningless characters.

Are longer passwords harder to crack?

The longer the password, the longer it will take to crack. When a password cracker has more characters to fill to guess the correct password, it's exponentially less likely to get it right. In other words, you don't need a complex password with lots of fancy special characters if you have a long password.


2 Answers

With a typical hash, the best you can do is see if the new password is exactly equal to previous ones. You can break the password into multiple hashes in order to get more flexible with comparison, for example 3 hashes:

  1. Alpha characters only
  2. Numeric characters only
  3. All other characters

You could for example require all the hashes to change to be accepted, to prevent users from just changing their password from SecretPassword01 to SecretPassword02.

A cryptographic expert may weigh in here on if this could be made as secure as a single hash.

NOTE that this is not as secure as a single hash, so before you go implementing this, make sure you have really done your research.

like image 157
tenfour Avatar answered Jan 03 '23 00:01

tenfour


When changing password you're usually asked for the old one to confirm your identity. It's then trivial to compare the old one and the new one to see how much they differ. TBH I don't know how to compare to several previous passwords without storing them, but that's getting into the territory of ridiculous policies anyway.

like image 44
Cat Plus Plus Avatar answered Jan 03 '23 01:01

Cat Plus Plus