[kwlug-disc] Password change policy

Raymond Chen raymondchen625 at gmail.com
Mon Jun 18 14:52:40 EDT 2018


Most organizations ask their users to change their passwords periodically,
and also have some kind of mandatory password complexity requirement. One
day when I talked about this with some colleagues, I found out quite a few
of them used a strong password, but changed only one character, probably
increase a number there, when asked to change it. Like from Ik0FmU>Hf to
Ik1FmU>Hf to Ik2FmU>Hf
I think this is compromising the security, like writing it down on a
post-it on your monitor. But I can't think of a way to prevent this
technically. We shouldn't store the clear-text password of course. And we
should not find any clue on the similarity by just looking at the encrypted
text if it's a good encryption algorithm. How do we know the user only
changed one character?
Maybe we can pre-calculate all the variations when user specifies a
password and store the all the encrypted strings? But that's a waste of
resources, right?
And that might in fact push some users to using the post-it...


Regards,

Raymond
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180618/67dea659/attachment.htm>


More information about the kwlug-disc mailing list