1

In light of the recent Gawker Media password leak, I've realized that many users share the same passwords. To help encourage stronger passwords, would it be helpful if passwords are constrained to be unique among all users?

One immediate downside I could think of (besides account creation performance?) is being able to know that someone is using a given string as a password. This knowledge, combined with a list of users, could be quite dangerous.

Is there a way to mitigate that downside while retaining the alleged benefits of not allowing repeat passwords?

It's kind of like the XKCD kick bot where you aren't allowed to repeat short, unoriginal sentences like "yah" or "lol".

Edit^2: I thought you could unique-ify against a hash, but as someone pointed out, with varying salts, this would not have the intended effect. Good eye!

Mark Canlas
  • 9,385
  • 5
  • 41
  • 63
  • 2
    I think it'd be far more safer to just not allow some passwords globally. Revealing that ANY password is valid for some user on the system, to me, is something you do not want to disclose. – Joe Dec 14 '10 at 19:58

5 Answers5

7

absolutely not.

It is critical that no information about passwords be available to users outside the system. If they can easy guess which passwords are in use, by discovering that a password is unavailable, then they can use those passwords on known usernames and get a good shot at gaining access.

An alternative is to find some kind of common passwords database, and prevent any user from using them.

SingleNegationElimination
  • 151,563
  • 33
  • 264
  • 304
3

eeeuh

I might be misreading your question, but I hope you do not store the actual password?

You should hash the password with a random salt. That way, there is no way for you to ever tell if one or more users have the same password.

If your systems, in any way, allows you to determine if two or more users have the same password, you are storing the passwords the wrong way.

Jacco
  • 23,534
  • 17
  • 88
  • 105
0

I would suggest the follwing as you have already mentioned the disadvantage of using "unique@ passwords for all

  1. Educate the user's about strong password.
  2. Ask user's to change password regularly.
  3. Keep a "Password strength" meter while they type in the password.
Shoban
  • 22,920
  • 8
  • 63
  • 107
0

Really don’t

As long as you have salts, the password won’t be stored the same way anyway.

If you want to ensure password security:

  1. Pick a good hash (sha256, blowfish, etc.)
  2. Use salts
  3. Snap-in a password meter with a minimum threshold
  4. A lot of those can be bundled with wordlists

Check out a post I made about it on reddit: http://www.reddit.com/r/netsec/comments/ektb8/in_the_light_of_recent_gawker_breakout_lets_talk/

cslavoie
  • 216
  • 1
  • 6
  • You state in your post: "I don't use a random salt" please read: http://stackoverflow.com/questions/1645161/salt-generation-and-open-source-software/1645190#1645190 (a salt is random by definition, if you use anything non-random, you are not using a salt, your are using a key instead) – Jacco Dec 14 '10 at 20:11
0

If password management is done correctly, the only person who should know their password is the user who created it in the first place. In my web sites, I never store the password in any form. I store a cryptographic hash (SHA-1 or some variant) of that password that is manipulated with some sort of unique "salt" padding. Essentially if two people did have unique passwords, there would be no way to tell.

Most of the passwords on that link you gave are all easily guessed dictionary passwords. Very weak, and easy to brute force. They would all be unallowed by any system with rudimentary password checking.

Berin Loritsch
  • 11,400
  • 4
  • 30
  • 57