Password similarity using probabilistic data structures
This addresses password security issues for users and administrators by discouraging insecure password reuse habits, though it is an incremental application of existing probabilistic data structures.
The paper tackles the problem of password similarity detection to prevent users from creating slight variations of old passwords, which reduces security when passwords are leaked. It proposes using Bloom filters to detect similar passwords while obfuscating stored data, achieving resistance to cryptanalytic attacks for use in exposed systems.
Passwords should be easy to remember, yet expiration policies mandate their frequent change. Caught in the crossfire between these conflicting requirements, users often adopt creative methods to perform slight variations over time. While easily fooling the most basic checks for similarity, these schemes lead to a substantial decrease in actual security, because leaked passwords, albeit expired, can be effectively exploited as seeds for crackers. This work describes an approach based on Bloom filters to detect password similarity, which can be used to discourage password reuse habits. The proposed scheme intrinsically obfuscates the stored passwords to protect them in case of database leaks, and can be tuned to be resistant to common cryptanalytic techniques, making it suitable for usage on exposed systems.