[Cryptography] Password rules and salt
lists at notatla.org.uk
lists at notatla.org.uk
Sat May 20 10:53:55 EDT 2017
Jerry Leichter <leichter lrw.com> wrote
> He suggested that instead, any string is valid as a
> password, as long as it has never been used before as a
> password by anyone ...
> ... Keep track of used passwords in a Bloom
> filter, *using cryptographically secure hash functions*
> to prove the filter. This has the following properties:
> If a password has been used, it will definitely be caught
> by the filter; if the password hasn't been used, there
> is a small probability it will be caught anyway; even
> someone who sees the individual updates to the filter
> can't determine what's been added to it.
When your secure hash function reaches end of life and
you pick a new one I suppose that means starting a new
dataset. You could test new passwords against both the
old and new filters; storing them in the new one if they
appeared to be in the old. Eventually you'd retire the
old version.
More information about the cryptography
mailing list