<div dir="ltr">If you have the new password, if you assume ASCII characters (95 different characters) and a 10-character password, then trying all possible one-character changes only requires 940 tries. These would be tries using the modified new password against the safely-stored (hashed, salted) old password.<div><br><div>That's why one-character changes are unsafe if the old password has leaked...<div><br></div><div>-erik</div></div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 18, 2018 at 7:30 PM, Raymond Chen <span dir="ltr"><<a href="mailto:raymondchen625@gmail.com" target="_blank">raymondchen625@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Not sure how Doug's IT system detect single character change. Maybe it stores the old passwords in clear text for future comparison. And never the current password. Maybe asking for the current password when changing it serves this purpose too. </div><br><div class="gmail_quote"><div dir="ltr">On Mon, Jun 18, 2018, 16:33 Chamunks, <<a href="mailto:chamunks@gmail.com" target="_blank">chamunks@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I don't know the episode of security now I heard it on, or the paper that it was from but the specification that was responsible for this irresponsible security practice has been finally updated and removed. <br><br>Honestly I would look into implimenting something like SQRL once he's got the forums online for support. Apparently its finished. It's passwordless authentication.</div><br><div class="gmail_quote"><div dir="ltr">On Mon, Jun 18, 2018 at 3:38 PM doug moen <<a href="mailto:doug@moens.org" rel="noreferrer" target="_blank">doug@moens.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>These kinds of password change policies are bullshit. They impose an impossible burden on employees. You can't expect the majority of employees to construct and memorize a brand new, unique and highly secure password every three months (or whatever). Most people's brains don't work that way. Since it's an impossible burden, it forces employees to play cat and mouse with IT, and find some way to manage the passwords without IT discovering the method and finding a way to ban it. I created an algorithm for generating an infinite sequence of passwords, and moved to the next password in the sequence every three months. My sequence changed more than one character for each password in the sequence, and IT did not manage to detect and ban my algorithm. They were able to detect single character changes.</div><div><br></div><div>I would suggest implementing two factor authentication, and giving everybody a yubikey.<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 18 June 2018 at 14:52, Raymond Chen <span dir="ltr"><<a href="mailto:raymondchen625@gmail.com" rel="noreferrer" target="_blank">raymondchen625@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Most organizations ask their users to change their passwords periodically, and also have some kind of mandatory password complexity requirement. One day when I talked about this with some colleagues, I found out quite a few of them used a strong password, but changed only one character, probably increase a number there, when asked to change it. Like from Ik0FmU>Hf to Ik1FmU>Hf to Ik2FmU>Hf<span style="color:rgb(167,37,63);font-family:SFMono-400,Menlo,"Segoe UI Mono","Roboto Mono","Oxygen Mono","Ubuntu Mono","Inconsolata 10","Fira Mono","Droid Sans Mono","Andale Mono",monospace;font-size:16px;text-align:center;white-space:pre-wrap;background-color:rgb(230,246,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">
</span><div>I think this is compromising the security, like writing it down on a post-it on your monitor. But I can't think of a way to prevent this technically. We shouldn't store the clear-text password of course. And we should not find any clue on the similarity by just looking at the encrypted text if it's a good encryption algorithm. How do we know the user only changed one character?</div><div>Maybe we can pre-calculate all the variations when user specifies a password and store the all the encrypted strings? But that's a waste of resources, right?</div><div>And that might in fact push some users to using the post-it...</div><div><br></div><div><br></div><div>Regards,</div><div><br></div><div>Raymond</div></div>
<br>______________________________<wbr>_________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" rel="noreferrer" target="_blank">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer noreferrer" target="_blank">http://kwlug.org/mailman/<wbr>listinfo/kwlug-disc_kwlug.org</a><br>
<br></blockquote></div><br></div>
______________________________<wbr>_________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" rel="noreferrer" target="_blank">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer noreferrer" target="_blank">http://kwlug.org/mailman/<wbr>listinfo/kwlug-disc_kwlug.org</a><br>
</blockquote></div>
______________________________<wbr>_________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" rel="noreferrer" target="_blank">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer noreferrer" target="_blank">http://kwlug.org/mailman/<wbr>listinfo/kwlug-disc_kwlug.org</a><br>
</blockquote></div>
<br>______________________________<wbr>_________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer" target="_blank">http://kwlug.org/mailman/<wbr>listinfo/kwlug-disc_kwlug.org</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Erik Schnetter <<a href="mailto:schnetter@gmail.com" target="_blank">schnetter@gmail.com</a>></div><div><a href="http://www.perimeterinstitute.ca/personal/eschnetter/" target="_blank">http://www.perimeterinstitute.ca/personal/eschnetter/</a><br></div><div><br></div></div></div></div></div>
</div>