• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Using Compass (Lucene) To Prevent Dictionary Passwords

 
Ranch Hand
Posts: 58
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My team is trying to meet new password security requirements passed down to us. One of which is preventing dictionary passwords.

My idea is to use Lucene (actually, Compass, which is Spring compatible) to check the user's new password against a password table.

Has anyone done anything like this? Or have you come up with a better way to prevent dictionary-based passwords?

Jason
 
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't know about Lucene, but in general, to prevent users from using words in a dictionary, you need a dictionary.

The next level to take it is to complain about words "based on dictionary words" with the idea that if 'boxcar' is in the dictionary, not only is boxcar not allowable, but so is boxcar1 and boxcar!

Most linux passwd implementations do this, you can at least take ideas from it (I think its in C so the code would need at least a port).

Most of this is derived from ideas that R. E. Gorin implemented in 1971.
 
Pat Farrell
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've done a little investigation of Lucene, and I don't see why you want to use it. Sure, it can implement a dictionary, but it does far more, its for full text search. As in searching for "see why you want" in this posting. That is a lot more than just a dictionary.

A reasonable dictionary can be just 80,000 words in a file or database.

Does your business requirement require matching on parts of words?
That is a lot stronger, and perhaps even a useful requirement. But it adds complexity and will run slower than a simple dictionary lookup using a HashSet.
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For huge word lists - look for Moby Words for example - here.

Bill
 
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I wrote a LogonShell that approaches the problem by keeping a hash of commonly used passwords in a static data structure. I wrote a program to get the hashcodes of a wordlist I found on the open internet claiming to be a list of commonly used passwords, then opened the file with my editor and put some static int {} stuff around it. It was just a shell trick for the masses: any password short enough and reasonable enough for a human to remember does not represent to me a useable password, passwords are a pain.

I then do if( map.find(password)){/** user is a twit, do not trust **/}

Who wrote: new password security requirements passed down to us. and please, please consider the storing of the HASHES of the passwords, not the actual passwords themselves which can be tampered by routine curiosity seekers. Kevin's Word List Page has a good collection of dictionaries with which you can begin your work.

Just google for commonly used passwords and be moderately concerned that the password lists you find may not be as cleanly implemented as the SCOWL list that kevin has up.
 
reply
    Bookmark Topic Watch Topic
  • New Topic