undefined | Better HN

0 pointsSamBam8y ago0 comments

I think it would decrease the benefit, yes.

If you store the hash of the password, plus the hash of a hundred "similar" passwords, then the hacker only has to brute-force one to find that they are on the right track, and then brute-force "similar" combinations.

0 comments

MikeTV8y ago

Unless you do it the other way around: Generate a list of all passwords similar to the one the user just entered and see if that matches any previous hashes. This is how Facebook's password check works [0]

[0] https://security.stackexchange.com/a/53483

dainichi8y ago

Supposedly, you'd only be able to get feedback about the similarity of a password in a state where you're already authenticated. So I guess this would help an attacker get the password when they've already gained access in some other way. But that's a big assumption.

j / k navigate · click thread line to collapse

0 pointsSamBam8y ago0 comments

I think it would decrease the benefit, yes.

0 comments

MikeTV8y ago

[0] https://security.stackexchange.com/a/53483

dainichi8y ago

j / k navigate · click thread line to collapse