Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Passphrase Filter for Detection/ Rejection of Weak User Selected Passphrases

IP.com Disclosure Number: IPCOM000108940D
Original Publication Date: 1992-Jul-01
Included in the Prior Art Database: 2005-Mar-23
Document File: 6 page(s) / 224K

Publishing Venue

IBM

Related People

Johnson, D: AUTHOR [+5]

Abstract

This article describes a method for the detection/rejection of weak user selected passphrases. A passphrase is an intelligible English phrase of up to 80 characters. It is used together with a passphrase hashing algorithm to generate a 64-bit value with cryptographic strength equivalent to a 64-bit data encryption algorithm (DEA) cryptographic key. A passphrase filter is similar in concept to a password filter; it is a utility program which rejects "bad" user-selected passphrases, or passphrases that an adversary might potentially discover by using an exhaustive directed search.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 30% of the total text.

Passphrase Filter for Detection/ Rejection of Weak User Selected Passphrases

       This article describes a method for the
detection/rejection of weak user selected passphrases.  A passphrase
is an intelligible English phrase of up to 80 characters.  It is used
together with a passphrase hashing algorithm to generate a 64-bit
value with cryptographic strength equivalent to a 64-bit data
encryption algorithm (DEA) cryptographic key.  A passphrase filter is
similar in concept to a password filter; it is a utility program
which rejects "bad" user-selected passphrases, or passphrases that an
adversary might potentially discover by using an exhaustive directed
search.

      An example involving passwords illustrates the importance of
such a checking procedure.  User-selected passwords, like
user-selected passphrases, present a more user-friendly interface for
access control. However, it is well known that people have a tendency
to "take the easy way out."  If 6-digit passwords chosen by 1000
people are examined, we are almost assured that the distribution will
not be uniform.  We will find a disproportionate number of passwords
consisting of six repeated digits (000000, 111111, etc.), digits in
sequence (123456, 234567, etc.), or digits with obvious patterns to
them.  Knowing this, an adversary can organize his exhaustive search
by searching the most likely candidates first.  In many cases, only a
few trials are required to find a password.  As a countermeasure,
users must be told of the potential risks involved in password
selection, and installation computing systems must provide users with
a set of  simple rules to be followed in selecting passwords.
Password checking algorithms can also be provided in many computer
systems to test and reject weak passwords. A similar, but more
involved, set of rules must be followed in passphrase construction.
In many cases, the rules are less intuitive, and, therefore, a system
implemented passphrase filter is all the more important.  A
passphrase filter consists of a set of simple, fast tests applied to
a trial passphrase.  Each test estimates the variability of the
passphrase.  The minimum value, after running all tests, is reported
back to the user.

      Fig. 1 illustrates a cryptographic system consisting of a
cryptographic facility (CF) 1 capable of executing a set of
cryptographic instructions 2, a key storage 3, a cryptographic
facility access program (CFAP) 4, and using application programs 5.
The cryptographic facility access program 4 contains a passphrase
filter utility program 6 accessed via a CFAP macro called Check
Passphrase 7.  The following steps are involved in checking a trial
passphrase.  An application 5 invokes the Check Passphrase macro 7.
The trial passphrase is checked and the estimated variability of the
passphrase is returned to the invoker.  The invoker should establish
what is the least variability that will be accepted, e.g., for DEA
key generati...