Username and password match by similarity



  • Back in 2006 I worked in a company that was developing a chat system for TV, where users could send a show SMS messages that would show on screen.

    Since some of our potential partners could use it for children's shows, we had to use some sort of filtering. Back then I was working with some really smart people, and everyone contributed with something. While coming up with a definitive design we tried bayesian filtering, a neural network, a system to give negative rating to people known for abusing bad words etc. We used a mix of some of these things, together with a mechanical turk that had to approve messages before they went to the screen, so you see how paranoid we were about fussing.

    My personal contribution during the trials was the use of the Levenshtein Distance. The idea is that any kind of regex gets defeated at some point by some clever form of mispelling. But if we have a dictionary of bad words, then we can set the system so that it only accepts words that are at least some distance away from those words - it would take so much mispelling for something to pass the filter at some given distance that the offensive word would have completely lost its meaning. We taylored it so that it would use different base distances for different situations.

    I must say, this was a very efficient approach, at least in the trials. And that was it... About that time I quit my job in favor of a better paying one, and never heard about it anymore.

    Fast forward some four years, and some people have heard about my Levenshtein Distance implementation, through a friend of a friend. And then they asked me if I could use that to match usernames and passwords.

    How, you ask? Well, it seems like some PHB somewhere is frustrated by having to change his credentials every now and then in some system, specially since he keeps forgetting what his new credentials are. But he knows his passwords are all similar. So he thought that if the system would accept as valid not only his password but also other close matches, he could guess his way into the system in less tries.

    I feel sorry for whomever is responsible for securing data in that company.


  • Trolleybus Mechanic

    [quote user="Renan "C#" Sousa"]Back in 2006 I worked in a company that was developing a chat system for TV, where users could send a show SMS messages that would show on screen.[/quote] 

    If this is one of those "pay per message" or "now you're signed up for spam" schemes, then your former company is a scourge that should be wipe from the face of the planet with flammables. I'll concider offering you a pardon and immunity if you can prove yourself to be a worthy member of society making significant contributions.

    [quote user="Renan "C#" Sousa"]How, you ask? Well, it seems like some PHB somewhere is frustrated by having to change his credentials every now and then in some system, specially since he keeps forgetting what his new credentials are. But he knows his passwords are all similar. So he thought that if the system would accept as valid not only his password but also other close matches, he could guess his way into the system in less tries.[/quote]

     I laughed. You're safe. For now.

    [quote user="Renan "C#" Sousa"]I feel sorry for whomever is responsible for securing data in that company.[/quote]

    12345? That's the combination on my luggage. And so is 1234 5, and One2345, and !@#$%, and...

     



  • [quote user="Renan "C#" Sousa"]How, you ask? Well, it seems like some PHB somewhere is frustrated by having to change his credentials every now and then in some system, specially since he keeps forgetting what his new credentials are. But he knows his passwords are all similar. So he thought that if the system would accept as valid not only his password but also other close matches, he could guess his way into the system in less tries.[/quote]OK, obviously that's a complete WTF, but it actually suggests an interesting authentication method.

    Imagine if instead of one password you had to type exactly, you had three or four layers that you only had to get approximately right. As long as you don't tell people which word(s) it failed on, I don't see that it's less secure. [quote user="Renan "C#" Sousa"]I feel sorry for whomever is responsible for securing data in that company.[/quote]

    This is a situation where the only real remedy is to educate the user in the importance of password security. Generally this kind of shit happens because the users genuinely don't see what's wrong with a lack of security. Explain to them how important it is, and they'll take the effort to remember their passwords. Of course, this all assumes they're simple enough to remember, so you don't get post-it passwords on every monitor.


  • 🚽 Regular

    So, what did you do for very obvious false positives like ship, tots, Meet the Fockers, punt, or families who have sadly named their cat pussy?

    I always wondered if there was some fail of a system that used Levenshtein Distance to give people some "close enough" logins.

    In one project I had a long time ago, I decided to log repeated attempts to failing passwords and, without logging what the user was entering, at least logged the Levenshtein distance to see if the repeated attempts were all "close" which would indicate it's an authorized user who just forgot which letters were capitalized and which symbols to use, and which were a rapid succession of utter failures which indicated a possible brute force attack.



  • @Lorne Kates said:

    [quote user="Renan "C#" Sousa"]Back in 2006 I worked in a company that was developing a chat system for TV, where users could send a show SMS messages that would show on screen.

     

    If this is one of those "pay per message" or "now you're signed up for spam" schemes, then your former company is a scourge that should be wipe from the face of the planet with flammables. I'll concider offering you a pardon and immunity if you can prove yourself to be a worthy member of society making significant contributions.

    [/quote]

    It was exactly that, except for the spam. My excuse is that by then I was young and naïve, but just to show you how low we could get there was also a lottery (with daily prizes!) where each SMS message was a ticket.

    @RHuckster said:

    So, what did you do for very obvious false positives like ship, tots, Meet the Fockers, punt, or families who have sadly named their cat pussy?

    We had the whole dictionary for the language in a white list, so as long as they didn't mispel and the word wasn't considered profane it was allowed.

    @intertravel said:

    Imagine if instead of one password you had to type exactly, you had three or four layers that you only had to get approximately right. As long as you don't tell people which word(s) it failed on, I don't see that it's less secure.

    More passwords to remember. That would mean more passwords relating to easily obtainable personal info, or more passwords on post-its.a


  • Trolleybus Mechanic

    [quote user="Renan "C#" Sousa"]@Lorne Kates said:

    [quote user="Renan "C#" Sousa"]Back in 2006 I worked in a company that was developing a chat system for TV, where users could send a show SMS messages that would show on screen.

     

    If this is one of those "pay per message" or "now you're signed up for spam" schemes, then your former company is a scourge that should be wipe from the face of the planet with flammables. I'll concider offering you a pardon and immunity if you can prove yourself to be a worthy member of society making significant contributions.

    [/quote]

    It was exactly that, except for the spam. My excuse is that by then I was young and naïve, but just to show you how low we could get there was also a lottery (with daily prizes!) where each SMS message was a ticket.

    [/quote] 

    Uhg. I think you owe use at least two more 5-star WTFs for that.

    There was a whole rash of those "SMS to win an IPODZZZ! ($2 fee, recurring daily)" a few years back. I've always wondered what loophole those companies used to get around their local gambling and lottery laws. How did your company get around it?



  • @Lorne Kates said:

    If this is one of those "pay per message" or "now you're signed up for spam" schemes, then your former company is a scourge that should be wiped from the face of the planet with flammables.

    FTFY. Also, no-one is forcing you to send these SMS messages, right? I don't understand your problem with this, unless of course you're not informed up-front of the costs and the charging methods being used. Here in the UK, that would be illegal. As would not informing you that by sending this SMS, you may/will receive further (spam) messages.



  • @intertravel said:

    OK, obviously that's a complete WTF, but it actually suggests an interesting authentication method.

    Imagine if instead of one password you had to type exactly, you had three or four layers that you only had to get approximately right. As long as you don't tell people which word(s) it failed on, I don't see that it's less secure.

    I don't know about you, but when I don't remember a password, I completely don't remember a password. I'd go further and say the only people who could come up with "close" passwords are people who use a simple pattern: "mypass1001", "mypass1002", etc.

    HOWEVER, if you had a system that required frequent password changes, but accepted any of the last 3 passwords, would that work better? Usually if I can't remember my current password for a system, I can still pop-off the one from 3 weeks ago.



  • @Lorne Kates said:

    [quote user="Renan "C#" Sousa"]@Lorne Kates said:

    [quote user="Renan "C#" Sousa"]Back in 2006 I worked in a company that was developing a chat system for TV, where users could send a show SMS messages that would show on screen.

     

    If this is one of those "pay per message" or "now you're signed up for spam" schemes, then your former company is a scourge that should be wipe from the face of the planet with flammables. I'll concider offering you a pardon and immunity if you can prove yourself to be a worthy member of society making significant contributions.

    It was exactly that, except for the spam. My excuse is that by then I was young and naïve, but just to show you how low we could get there was also a lottery (with daily prizes!) where each SMS message was a ticket.

    [/quote] 

    Uhg. I think you owe use at least two more 5-star WTFs for that.

    There was a whole rash of those "SMS to win an IPODZZZ! ($2 fee, recurring daily)" a few years back. I've always wondered what loophole those companies used to get around their local gambling and lottery laws. How did your company get around it?

    [/quote]

    Brazil. You can do that kind of stuff here.

    And yeah the lottery was handled with a pseudo-random-number-generating-system, mainly because .NET does not implement emacs butterfly.



  • [quote user="Renan "C#" Sousa"]

    How, you ask? Well, it seems like some PHB somewhere is frustrated by having to change his credentials every now and then in some system, specially since he keeps forgetting what his new credentials are. But he knows his passwords are all similar. So he thought that if the system would accept as valid not only his password but also other close matches, he could guess his way into the system in less tries.

    [/quote]

    Naming names because I don't like the company. My first job out of tech school was performing QA for the IVR system that Telus was implementing at that time (late summer - late fall 2004). We were given test scripts, dialed into the system and recorded the results. We were encouraged to deviate (but note down) from the scripts sometimes if we wished. Every account had a four digit access code, and we found that we could transpose any two consecutive digits of this code, and it would still validate. We brought these to our masters, and were told that it was part of the design.

    It's probably been corrected a long time ago, but it was still pretty friggin' dumb.



  • @blakeyrat said:

    I don't know about you, but when I don't remember a password, I completely don't remember a password. I'd go further and say the only people who could come up with "close" passwords are people who use a simple pattern: "mypass1001", "mypass1002", etc.
    I use similar, not equal, passwords for different sites. This results in me sometimes forgetting exactly which variation I used for a certain site. I suppose I could store my passwords using a dedicated app (the browser, even), but I don't think it's worth the trouble.

    BTW, YouTube accounts now must be linked to a Google account. Whyyyyyy?


  • Trolleybus Mechanic

    @Zecc said:

    @blakeyrat said:

    I don't know about you, but when I don't remember a password, I completely don't remember a password. I'd go further and say the only people who could come up with "close" passwords are people who use a simple pattern: "mypass1001", "mypass1002", etc.
    I use similar, not equal, passwords for different sites. This results in me sometimes forgetting exactly which variation I used for a certain site. I suppose I could store my passwords using a dedicated app (the browser, even), but I don't think it's worth the trouble.

     

     Yup. Worse is when a site you used infrequently has a draconian lockout policy-- 3 wrong attempts and your account is locked. If you're lucky, you can send a password reset email and waste a few minutes of your time-- otherwise, it's a phone call to Customer Service where you get to waste an hour of your time explaining that no, you don't remember your Phone-In-Support PIN either.

    @Zecc said:


    BTW, YouTube accounts now must be linked to a Google account. Whyyyyyy?

     

    Even more fun last time I checked: To create a new account,  you have to verify the account via SMS. That's a big old "fuck you" from me-- I get enough spam on the phone, in the mail, by email, and at the door-- I don't need even more being sent to my "only in case of emergency" cell phone.

    And besides, the only reason I'd create a new YouTube account would be so I could anonymously browse "certain" videos-- and if I want to anonymously do that, I'm not going to associate it with my cell phone

    And besides v2.0: If I'm going to do anything anonymously, it isn't going to be through a Google service. I know the agreed upon price of the free service

    And besides v3.0: It wasn't even one of THOSE videos. It was a comedy sketch. Really. =( 

     



  • @Zecc said:

    I suppose I could store my passwords using a dedicated app (the browser, even), but I don't think it's worth the trouble.

    I use my webmail as a jerryrigged "password management system", by just sending emails with the passwords for stuff I use to myself. Note to sane people: this is a dumb idea, don't do it. I use it because I'm fucking lazy, not because it's good.

    But really, compared to other password management software, it's not too bad... I still have a master password that controls access to all the others. And it lets me make essentially random passwords for every non-email service I use. And it lets me store additional information, like what security questions & answers I picked. (I always make sure the answer has nothing to do with the question: Q: "What was your high school mascot?" A: "Mutual Funds" because, for some reason, a lot of banks et. al. like to pick questions whose answer can be EASILY LOOKED UP. Like... what was your high school mascot. That was a long and poorly-punctuated parenthetical.)



  • @blakeyrat said:

    @intertravel said:
    OK, obviously that's a complete WTF, but it actually suggests an interesting authentication method.

    Imagine if instead of one password you had to type exactly, you had three or four layers that you only had to get approximately right. As long as you don't tell people which word(s) it failed on, I don't see that it's less secure.

    I don't know about you, but when I don't remember a password, I completely don't remember a password. I'd go further and say the only people who could come up with "close" passwords are people who use a simple pattern: "mypass1001", "mypass1002", etc.

    HOWEVER, if you had a system that required frequent password changes, but accepted any of the last 3 passwords, would that work better? Usually if I can't remember my current password for a system, I can still pop-off the one from 3 weeks ago.

    "Do they have a code clearance?"

    "It's an older code but it checks out. I was about to clear them."


  • Trolleybus Mechanic

    @nonpartisan said:

    "Do they have a code clearance?"

    "It's an older code but it checks out. I was about to clear them."

     

    I said your stupid words!



  • @blakeyrat said:

    @intertravel said:
    OK, obviously that's a complete WTF, but it actually suggests an interesting authentication method.

    Imagine if instead of one password you had to type exactly, you had three or four layers that you only had to get approximately right. As long as you don't tell people which word(s) it failed on, I don't see that it's less secure.

    I don't know about you, but when I don't remember a password, I completely don't remember a password. I'd go further and say the only people who could come up with "close" passwords are people who use a simple pattern: "mypass1001", "mypass1002", etc.

    HOWEVER, if you had a system that required frequent password changes, but accepted any of the last 3 passwords, would that work better? Usually if I can't remember my current password for a system, I can still pop-off the one from 3 weeks ago.

    I wasn't thinking of forgotten passwords. More along the lines of deliberately mis-spelling your passwords - if you didn't allow the same combination of mis-spellings to work more than once a day/week, it would defeat keylogging and so-on. Probably a stupid idea.



  • @intertravel said:

    More along the lines of deliberately mis-spelling your passwords - if you didn't allow the same combination of mis-spellings to work more than once a day/week, it would defeat keylogging and so-on. Probably a stupid idea.

    A human rolling-code algorithm?  Each password can only be used once and you need to know the last-used password and the algorithm to enter the next one?  I've seen this used on a combination lock for a door where the code was the month and day of that week's monday.  (But you didn't need to know the previous code to "add 7" to it.)  I've also seen one-time pads distributed by snail-mail which also have the same effect of reducing online or over-the-shoulder snooping.

    This rolling code would defeat keyloggers until the algorithm became widely known.  It can't be too complex (probably can't use a private key to generate the next code) so as soon as the nefarious keylogger has one password (or two consecutive passwords) they can log in to your gmail account.  Although this does lock out the legitimate user, providing immediate notification that the account has been compromised and a password reset will lock the keylogger out.



  • @Lorne Kates said:

    I've always wondered what loophole those companies used to get around their local gambling and lottery laws.

    Well, the universally accepted way to get around those laws (at least, nowadays) seems to be adding a quiz question - preferrably an extremely inane one, like "What do you use to put out a fire? a) Water - b) Bananas" so that even braindead idiots (their preferred target audience - because anyone with more than two functional brain cells should immediately figure out the futility of trying to participate) will go "Oh, I know that, I can win this one!".

    Thus, it becomes game of "skill" instead of "chance" (in some jurisdictions, at least) and is no longer governed by gambling laws...



  • @Anonymouse said:

    "What do you use to put out a fire? a) Water - b) Bananas"
     

    Depends what kind of fire it is.  On grease (class B) or electrical (class C) fires, bananas would probably work better.



  • @intertravel said:

    [quote user="Renan "C#" Sousa"]How, you ask? Well, it seems like some PHB somewhere is frustrated by having to change his credentials every now and then in some system, specially since he keeps forgetting what his new credentials are. But he knows his passwords are all similar. So he thought that if the system would accept as valid not only his password but also other close matches, he could guess his way into the system in less tries.
    OK, obviously that's a complete WTF, but it actually suggests an interesting authentication method.

    Imagine if instead of one password you had to type exactly, you had three or four layers that you only had to get approximately right. As long as you don't tell people which word(s) it failed on, I don't see that it's less secure. [quote user="Renan "C#" Sousa"]I feel sorry for whomever is responsible for securing data in that company.[/quote]

    This is a situation where the only real remedy is to educate the user in the importance of password security. Generally this kind of shit happens because the users genuinely don't see what's wrong with a lack of security. Explain to them how important it is, and they'll take the effort to remember their passwords. Of course, this all assumes they're simple enough to remember, so you don't get post-it passwords on every monitor.

    [/quote]

    You realize that this requires access to the unencrypted text of the password which is for all practical purposes "really "*80 bad? So even if what you say makes sense, it means that they have unencrypted passwords or reversible encryption which means that if they get hacked all is fuuuuuudged. So, no, no practical uses. Sorry dude.

     



  • @da Doctah said:

    @Anonymouse said:

    "What do you use to put out a fire? a) Water - b) Bananas"
     

    Depends what kind of fire it is.  On grease (class B) or electrical (class C) fires, bananas would probably work better.

     

    That explains why there are monkeys sniffing around our Class C fire extinguisher.

     


  • Garbage Person

    @astonerbum said:


    You realize that this requires access to the unencrypted text of the password which is for all practical purposes "really "*80 bad? So even if what you say makes sense, it means that they have unencrypted passwords or reversible encryption which means that if they get hacked all is fuuuuuudged. So, no, no practical uses. Sorry dude.
    You could precompute all the possible munges and store their hashes.



  • Finally!  A sensible and scalable solution!



  • @da Doctah said:

    Depends what kind of fire it is.  On grease (class B) or electrical (class C) fires, bananas would probably work better.
     

    What if the bananas are on fire?



  • @dhromed said:

    @da Doctah said:

    Depends what kind of fire it is.  On grease (class B) or electrical (class C) fires, bananas would probably work better.
     

    What if the bananas are on fire?

    You can send the whole thing to space to remove the oxygen. You'll need a fireproof catapult and aim away from the sun, though.


  • @Zecc said:

    You can send the whole thing to space to remove the oxygen. You'll need a fireproof catapult and aim away from the sun, though.
     

    That sounds like a pretty simple solution!


  • Trolleybus Mechanic

    @Zecc said:

    @dhromed said:

    @da Doctah said:

    Depends what kind of fire it is.  On grease (class B) or electrical (class C) fires, bananas would probably work better.
     

    What if the bananas are on fire?

    You can send the whole thing to space to remove the oxygen. You'll need a fireproof catapult and aim [b]away from the sun[/b], though.
     

    But what if it's daytime? We need a globalized version of this solution that includes our solar-based stakeholders.



  • @da Doctah said:

    @Anonymouse said:

    "What do you use to put out a fire? a) Water - b) Bananas"
     

    Depends what kind of fire it is.  On grease (class B) or electrical (class C) fires, bananas would probably work better.

    I want to see Video proof....



  • @TheCPUWizard said:

    @da Doctah said:

    @Anonymouse said:

    "What do you use to put out a fire? a) Water - b) Bananas"
     

    Depends what kind of fire it is.  On grease (class B) or electrical (class C) fires, bananas would probably work better.

    I want to see Video proof....

    In Beverly Hills Cop, Eddy Murphy fills a car exhaust with bananas. The car then sputters and won't go anywhere. So you see, bananas can actually keep a combustion engine from working!


Log in to reply