On Thu, 21 Sep 2000, Andrew Morgan wrote:
> OK, Andrew is changing his constraints.. I've had a chance to digest
> this function some more and think I now understand what it is supposed
> to be doing so here is the new constraint:
> [morgan@blighty test]$ ./verify.sh
> similar looked at old=rho and new=alpharho, generating
> msg='ok'
> similar looked at old=alpharho and new=rho, generating
> msg=is too similar to the old one
> similar looked at old=alpha and new=alpharho, generating
> msg=is too similar to the old one
> similar looked at old=alpha and new=rhoalpha, generating
> msg=is too similar to the old one
> Note, the first one passes because the user is trying to keep their old
> password but adding at least as many new characters over those present
> in the first password. So on average, the new password contains more
> that is new than is old.
> ./verify.sh looks like this:
> -------
> #!/bin/sh
> ./verify_fn rho alpharho
> ./verify_fn alpharho rho
> ./verify_fn alpha alpharho
> ./verify_fn alpha rhoalpha
> -------
> (See my previous post for the code for 'verify_fn.c'.)
> My suggested replacement for 'similiar' is this:
> ----------
> static int similar(struct cracklib_options *opt,
> const char *old, const char *new)
> {
> int i, j;
>
> for (i = j = 0; old[i]; i++) {
> if (strchr (new, old[i])) {
> j++;
> }
> }
>
> if (((i-j) >= opt->diff_ok) || (strlen(new) >= (j * 2))) {
> /* passwords are not very similar */
> return 0;
> }
>
> /* passwords are too similar */
> return 1;
> }
> ----------
> If anyone wants to poke holes in this, please do. If I don't hear any
> complaints over the next week, I'll commit this change to the sources
> and it will be in 0.73.
My only concern with this function is that it would still treat (e.g) two
128-character passwords with good randomization as too similar if they
contained the same set of characters. Still, the proposed change is certainly
a far sight better than what we currently have, and I don't know of a simple
way to check if two passwords are too similar (or even a simple way to
/define/ if they're too similar), so I'm not going to worry too much about it.
:)
Steve Langasek
postmodern programmer
