Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Agile forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Using Compass (Lucene) To Prevent Dictionary Passwords

 
Jason Ferguson
Ranch Hand
Posts: 58
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My team is trying to meet new password security requirements passed down to us. One of which is preventing dictionary passwords.

My idea is to use Lucene (actually, Compass, which is Spring compatible) to check the user's new password against a password table.

Has anyone done anything like this? Or have you come up with a better way to prevent dictionary-based passwords?

Jason
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't know about Lucene, but in general, to prevent users from using words in a dictionary, you need a dictionary.

The next level to take it is to complain about words "based on dictionary words" with the idea that if 'boxcar' is in the dictionary, not only is boxcar not allowable, but so is boxcar1 and boxcar!

Most linux passwd implementations do this, you can at least take ideas from it (I think its in C so the code would need at least a port).

Most of this is derived from ideas that R. E. Gorin implemented in 1971.
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I've done a little investigation of Lucene, and I don't see why you want to use it. Sure, it can implement a dictionary, but it does far more, its for full text search. As in searching for "see why you want" in this posting. That is a lot more than just a dictionary.

A reasonable dictionary can be just 80,000 words in a file or database.

Does your business requirement require matching on parts of words?
That is a lot stronger, and perhaps even a useful requirement. But it adds complexity and will run slower than a simple dictionary lookup using a HashSet.
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13055
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For huge word lists - look for Moby Words for example - here.

Bill
 
Nicholas Jordan
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I wrote a LogonShell that approaches the problem by keeping a hash of commonly used passwords in a static data structure. I wrote a program to get the hashcodes of a wordlist I found on the open internet claiming to be a list of commonly used passwords, then opened the file with my editor and put some static int {} stuff around it. It was just a shell trick for the masses: any password short enough and reasonable enough for a human to remember does not represent to me a useable password, passwords are a pain.

I then do if( map.find(password)){/** user is a twit, do not trust **/}

Who wrote: new password security requirements passed down to us. and please, please consider the storing of the HASHES of the passwords, not the actual passwords themselves which can be tampered by routine curiosity seekers. Kevin's Word List Page has a good collection of dictionaries with which you can begin your work.

Just google for commonly used passwords and be moderately concerned that the password lists you find may not be as cleanly implemented as the SCOWL list that kevin has up.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic