• Post Reply Bookmark Topic Watch Topic
  • New Topic

Check for the similarity of the new passwords with password history  RSS feed

 
Nilesh Pat
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I need to develop logic to check for similar password with it's history.

My application stores users last 5 passwords so that user is not allowed to use them again. But now i need to disallow him to use similar passwords also like,
Original Password: P@ssword1
First Password Change: P@ssword2
Second Password Change: P@ssword3

basically it's like calculating two string similarity. Can anyone suggest good logic to find out around more than 90% similarity in two strings.
 
Tony Docherty
Bartender
Posts: 3271
82
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is something called the "Levenshtein function" which computes the difference between strings. It works by computing the number of single character changes required to get from one string to the other. You might want to search for the algorithm (there may even be an open source Java implementation).
 
Jelle Klap
Bartender
Posts: 1952
7
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Levenshtein distance calculation could work, but you would have to require that the user enter his current password when changing to a new one, because using password hashes as input for the calculation would be useless. The only other option would be to store the historical passwords in plain text, which is a bit of a no-no. That still won't help you determine the similarity up to 5 passwords ago, though. For that you'd have to analyse the new password entered, generate some likely variations and compare the hashes of those generated alternatives against the hashes of historial passwords. I don't seen any other way.
 
Tony Docherty
Bartender
Posts: 3271
82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was assuming the passwords were stored in an encrypted form so the original password was recoverable. If the passwords are stored as hashes then I can't think of anyway of doing it.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But now i need to disallow him to use similar passwords also

Why is that? Does someone imagine that this increases security?
 
Nilesh Pat
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am checking if user is using old password from history. Now i need more security not only for equal password but for similar password also.
I think
"Levenshtein function"
will work..

But as Jelle said, I am storing password in encode format in Database. Luckily it's not hashed so i think it will work using
"Levenshtein function"
.

Can anyone help me find out and explain code for it.

I have checked,
http://stackoverflow.com/questions/955110/similarity-string-comparison-in-java
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nilesh Pat wrote:Now i need more security not only for equal password but for similar password also.

That was my question: why do you think disallowing similar passwords provides more security? No password that is allowed should be trivially guessable or trivially crackable, so why would a password similar to a previous one be less secure?
 
Tony Docherty
Bartender
Posts: 3271
82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Try apache commons StringUtils. Javadocs: org.apache.commons.lang3.StringUtils

[ UD: edited to show off our nice javadoc UBB tags :-) Except that the link is broken :-( See below for the correct link. ]
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Apologies to Tony for editing his post with something that didn't work - it seems the javadocs of the Commons library have moved to here: http://commons.apache.org/proper/commons-lang/javadocs/api-release/org/apache/commons/lang3/StringUtils.html
 
Nilesh Pat
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:
Nilesh Pat wrote:Now i need more security not only for equal password but for similar password also.

That was my question: why do you think disallowing similar passwords provides more security? No password that is allowed should be trivially guessable or trivially crackable, so why would a password similar to a previous one be less secure?


It's a requirement from client,
Password history controls have been put in place to prevent disclosure of password through familiarity. Allowing users to bypass this control may allow a malicious user that is in close proximity of the user to eventually obtain the password little by little.
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nilesh Pat wrote:
It's a requirement from client,


If you are storing passwords hashed using one of the major digest algorithms then the requirement is impossible for you to implement. One of the basic requirements of digest algorithms is that even just a one character change will produce a significantly different and seemingly random change to the digest. If you are seeding the digest, as you should be, with a random value that is almost certainly different for each password then the digested results will be unlikely to be the same even for two passwords the same! You can still check for probable equality by simply testing the new password against each saved one but you cannot test for similarity.
 
Winston Gutkowski
Bartender
Posts: 10575
66
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nilesh Pat wrote:It's a requirement from client,
Password history controls have been put in place to prevent disclosure of password through familiarity. Allowing users to bypass this control may allow a malicious user that is in close proximity of the user to eventually obtain the password little by little.

But what about a malicious user who cracks your password history? What (I think) everybody is trying to tell you is that carrying password history around may well compromise your system more that it protects it.

You might be able to get some form of safety by storing password hash history, and disallowing any passwords that match a previous hash. You might even be able to curb "similarity" by using bloom filters, but you may also compromise password strength if you do so (I simply don't know enough about the subject).

Suffice to say: What your clients are asking for is NOT straightforward; and may not actually achieve what they intend.

Winston
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!