Subject:
|
Re: Automated password appraisal (Re: New feature: Article rating)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Fri, 31 Mar 2000 00:33:13 GMT
|
Highlighted:
|
(details)
|
Viewed:
|
3559 times
|
| |
|
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Todd Lehman writes:
> > > Have you thought about vowels being dropped and K/c substitutions.
> > Good idea!
>
> Hmmm...not sure how to go about doing this... The way the checker achieves
> its speed is by looking up all substrings in its dictionary rather than
> passing every single diciontionary word over all substrings (which could take
> hours). So, for example, in order to find a match on something like "lgsstm"
> ("lego system" minus vowels), it would either have to know exactly which
> letters you dropped (in which case the lookup would be speedy) or it would
> have to examine millions of permutations of each vowel in each position (in
> which case it would be excruciatingly slow) and it might even find whole
> bunches of unwanted matches -- for example "leagues steamy" matching
> "lgsstm" when all you meant was "lego system", or "mound mayor angie" or
> "money dime ring" matching "mndmrng" when all you meant was "mondaymorning".
>
> I don't mean to say it's not a good idea to check (I think it is a good idea,
> just as a diagnostic for people) -- I just don't know how to do it quickly
> and efficiently without some really big iron.
>
> --Todd
The way I've done something similar in the past is to create a larger
dictionary: create a temp file with all words having their vowels removed, and
do the c/k mutations too, if desired. Sort and remove duplicate entries.
Finally, merge back into the original dictionary. This makes the dictionary
much larger, of course. I wasn't using one as large as yours already seems to
be, but it might still work.
If the size gets too unweildly, an alternative might be to just use the temp
file you created above AS the dictionary. Preprocess the submitted passwords
to remove vowels from them as well. It doesn't matter that there are dozens
or more possible ways that a word with its vowels removed could have come
from. Any word that would have been rejected would still be rejected, but
soom otherwise 'good' words will now also be tagged as bad. Eg: reversing the
vowels on a word might have been a good password before, but is useless
now. "Airuke" vs "Eurika" -- both become simply 'rk', illustrating what looks
to be a possible flaw: the passwords look shorter. Though this isn't really a
problem, since the user still needs to type all the letters anyway. What this
lacks is a simple way of telling the user which words his password choice
collided with. Not a big deal, IMO.
Actually I assume you already do *something* like this: do you reduce all
passwords to lower case, and have your dictionary in all lower case? This
would make sense to do. Is a word with random caPitAliZatiON that much more
secure than the same word in one of the three 'normal' senses? (Capitalized,
capitalized, CAPITALIZED)
In any case, the idea is to find passwords that aren't good. The explanations
of why they aren't is secondary.
--
David Schilling
|
|
Message has 1 Reply:
Message is in Reply To:
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
