File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Java in General and the fly likes Using Compass (Lucene) To Prevent Dictionary Passwords Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Java in General
Bookmark "Using Compass (Lucene) To Prevent Dictionary Passwords" Watch "Using Compass (Lucene) To Prevent Dictionary Passwords" New topic

Using Compass (Lucene) To Prevent Dictionary Passwords

Jason Ferguson
Ranch Hand

Joined: Aug 09, 2007
Posts: 58
My team is trying to meet new password security requirements passed down to us. One of which is preventing dictionary passwords.

My idea is to use Lucene (actually, Compass, which is Spring compatible) to check the user's new password against a password table.

Has anyone done anything like this? Or have you come up with a better way to prevent dictionary-based passwords?

Pat Farrell

Joined: Aug 11, 2007
Posts: 4659

I don't know about Lucene, but in general, to prevent users from using words in a dictionary, you need a dictionary.

The next level to take it is to complain about words "based on dictionary words" with the idea that if 'boxcar' is in the dictionary, not only is boxcar not allowable, but so is boxcar1 and boxcar!

Most linux passwd implementations do this, you can at least take ideas from it (I think its in C so the code would need at least a port).

Most of this is derived from ideas that R. E. Gorin implemented in 1971.
Pat Farrell

Joined: Aug 11, 2007
Posts: 4659

I've done a little investigation of Lucene, and I don't see why you want to use it. Sure, it can implement a dictionary, but it does far more, its for full text search. As in searching for "see why you want" in this posting. That is a lot more than just a dictionary.

A reasonable dictionary can be just 80,000 words in a file or database.

Does your business requirement require matching on parts of words?
That is a lot stronger, and perhaps even a useful requirement. But it adds complexity and will run slower than a simple dictionary lookup using a HashSet.
William Brogden
Author and all-around good cowpoke

Joined: Mar 22, 2000
Posts: 13037
For huge word lists - look for Moby Words for example - here.

Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
I wrote a LogonShell that approaches the problem by keeping a hash of commonly used passwords in a static data structure. I wrote a program to get the hashcodes of a wordlist I found on the open internet claiming to be a list of commonly used passwords, then opened the file with my editor and put some static int {} stuff around it. It was just a shell trick for the masses: any password short enough and reasonable enough for a human to remember does not represent to me a useable password, passwords are a pain.

I then do if( map.find(password)){/** user is a twit, do not trust **/}

Who wrote: new password security requirements passed down to us. and please, please consider the storing of the HASHES of the passwords, not the actual passwords themselves which can be tampered by routine curiosity seekers. Kevin's Word List Page has a good collection of dictionaries with which you can begin your work.

Just google for commonly used passwords and be moderately concerned that the password lists you find may not be as cleanly implemented as the SCOWL list that kevin has up.

"The differential equations that describe dynamic interactions of power generators are similar to that of the gravitational interplay among celestial bodies, which is chaotic in nature."
I agree. Here's the link:
subject: Using Compass (Lucene) To Prevent Dictionary Passwords
It's not a secret anymore!