This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Java in General and the fly likes Using Compass (Lucene) To Prevent Dictionary Passwords Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "Using Compass (Lucene) To Prevent Dictionary Passwords" Watch "Using Compass (Lucene) To Prevent Dictionary Passwords" New topic
Author

Using Compass (Lucene) To Prevent Dictionary Passwords

Jason Ferguson
Ranch Hand

Joined: Aug 09, 2007
Posts: 58
My team is trying to meet new password security requirements passed down to us. One of which is preventing dictionary passwords.

My idea is to use Lucene (actually, Compass, which is Spring compatible) to check the user's new password against a password table.

Has anyone done anything like this? Or have you come up with a better way to prevent dictionary-based passwords?

Jason
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

I don't know about Lucene, but in general, to prevent users from using words in a dictionary, you need a dictionary.

The next level to take it is to complain about words "based on dictionary words" with the idea that if 'boxcar' is in the dictionary, not only is boxcar not allowable, but so is boxcar1 and boxcar!

Most linux passwd implementations do this, you can at least take ideas from it (I think its in C so the code would need at least a port).

Most of this is derived from ideas that R. E. Gorin implemented in 1971.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

I've done a little investigation of Lucene, and I don't see why you want to use it. Sure, it can implement a dictionary, but it does far more, its for full text search. As in searching for "see why you want" in this posting. That is a lot more than just a dictionary.

A reasonable dictionary can be just 80,000 words in a file or database.

Does your business requirement require matching on parts of words?
That is a lot stronger, and perhaps even a useful requirement. But it adds complexity and will run slower than a simple dictionary lookup using a HashSet.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12761
    
    5
For huge word lists - look for Moby Words for example - here.

Bill
Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
I wrote a LogonShell that approaches the problem by keeping a hash of commonly used passwords in a static data structure. I wrote a program to get the hashcodes of a wordlist I found on the open internet claiming to be a list of commonly used passwords, then opened the file with my editor and put some static int {} stuff around it. It was just a shell trick for the masses: any password short enough and reasonable enough for a human to remember does not represent to me a useable password, passwords are a pain.

I then do if( map.find(password)){/** user is a twit, do not trust **/}

Who wrote: new password security requirements passed down to us. and please, please consider the storing of the HASHES of the passwords, not the actual passwords themselves which can be tampered by routine curiosity seekers. Kevin's Word List Page has a good collection of dictionaries with which you can begin your work.

Just google for commonly used passwords and be moderately concerned that the password lists you find may not be as cleanly implemented as the SCOWL list that kevin has up.


"The differential equations that describe dynamic interactions of power generators are similar to that of the gravitational interplay among celestial bodies, which is chaotic in nature."
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Using Compass (Lucene) To Prevent Dictionary Passwords
 
Similar Threads
Encrypted Password for Oracle JDBC
WA #1.....word association
too many open files with lucene
Password Generation
Converting char[] to byte[]