
Want to Block Common Passwords? Sorry, That is Patented - m8urn
https://xato.net/passwords/want-to-block-common-passwords-sorry-that-is-patented/
======
utopkara
Re: IBM patents, IBM has an interesting, and quite unique strategy regarding
IP. About 20-25% of IBM patents are software patents, and IBM uses this patent
portfolio to protect open source projects, especially Linux
(<http://www.linuxplanet.com/linuxplanet/opinions/7034/1>). Also, IBM
historically abandons a large portion of its issued patents
([http://www.patentlyo.com/patent/2012/03/ibms-patent-
abandonm...](http://www.patentlyo.com/patent/2012/03/ibms-patent-abandonment-
strategy.html)), and the abandoned patents become prior art, protecting
everybody.

~~~
oelmekki
That's a valid point. I still don't understand why there is no (afaik)
"general public patent" mechanism of some kind : a procedure to make someone
claim a patent on behalf of general public.

This would certainly stops patent trolls, and avoid making people suspicious
when you claim "protective patents" as you describe.

~~~
tomerv
What you're describing is known as "prior art": simply publish your idea
anywhere public, and it automatically becomes invalid for patenting. You don't
even need to implement anything.

~~~
oelmekki
Yep, I'm aware of the prior art rule, except :

a) it's about things that should have been actually used, where a patent is
about concepts

b) scope of the idea is not clearly defined and so could be argued with, when
a real patent definition for general public use would prohibit that.

And that's excatly the point for IBM to issue protective patents, I think.

~~~
RyanMcGreal
As I understand it, patents apply to applied inventions, not to concepts. In
other words, to patent an idea, you need a working model. A patent is a time-
limited legal monopoly on making the application, granted in exchange for
disclosure of what the application does and how it works.

~~~
talmand
I've seen numerous patents for concepts with no working models and not just
software patents. They do explain how such a device would work and many do
seem reasonable, but they often will not have a built and working example.

------
Lasher
Not to be melodramatic, but as someone still in a day job this whole patent
mess seriously does discourage me from taking the leap and risking everything
to try to invent something meaningful only to get hit with a patent troll
lawsuit just as we start to find our feet.

~~~
mdkess
That's an excuse if I've ever heard one. You would be so lucky to get sued.
"I'd be a famous musician, but I'm worried about the publicity."

~~~
talmand
Being famous doesn't cost a musician money.

Sure, he would be "lucky" to be in a position of potentially losing his
business and/or idea in the course of defending it. There's potentially a huge
cost even if he were to win.

------
Fletch137
The problem with blocking common passwords is that quite often you just end up
creating a new set of common passwords.

I had to set up a management system a while back, and given the sensitivity of
the data, it seemed prudent to block passwords such as "password" and
"123456". The result? The most common password was "drowssap", even after an
email explaining why they needed to use strong passwords.

I could have gone back and added something for permutations of common
passwords, extended my exclusion list or any number of other solutions, but it
seems like every time you find a way to stop a user being a security problem,
they find another way.

~~~
antninja
I remember a paper, from Microsoft I think, where the proposed method was to
keep a list of all passwords and prevent any password to be used more than X
times. This way no password becomes common. But it would likely be frustrating
for users who try to find a password (like trying to find a username on
Hotmail: everything is taken!).

~~~
tdrgabi
Doesn't that mean that you keep the passwords in clear?

They don't have a user => password relation, but having a list of passwords to
go through will make any bruteforce attack extremely fast.

~~~
mseebach2
You could at least bcrypt them all with the same salt, however, it's a long
step backwards from individual salting. Also, then you can't check for
"[common base password][phone number]" or some variation that's exactly as
dangerous as just using a common password - if you kept a plaintext list, you
could do substring searches.

The more important lesson here is probably that your users insisting on using
crappy passwords isn't really a problem for technology to solve. If you users
aren't in the mindset of feeling an obligation towards protecting the data,
there are much bigger holes in the network than password complexity
enforcement.

<http://www.smbc-comics.com/comics/20120220.gif>

<http://www.theregister.co.uk/2008/04/16/password_security/>

~~~
lifeisstillgood
Is it me or is individual salting rather redundant.

I can see why using one salt forevermore is rubbish but if I salt a different
user with a different lt each time, but I need to keep that salt in plaintext
next to the hash. Making the whole salting thing a bit redundant if I get a
linked in style loss

I certainly see a benefit in padding out user passwords to say 128 bits each
time, combined with crypt it will slow down any mass brute force /rainbow
attack.

Pre-edit edit: I just answered my own question did I not.

~~~
ajanuary
If I understand your point correctly, you're asking how critical it is to
always give different/random salts to each password?

Even if you know that hash('password', 'salt1') hashes to a a user's hash,
you'd need to recompute hash('password', 'salt2') to check if it's the hash
for someone else. It slows them down by increasing the amount of work. If they
had the same salt it would be the same hash for multiple users.

~~~
lifeisstillgood
Sort of - I had always thought of a salt as _another_ password - something to
keep secret so that if the dbase of hashes was lost, there was an "unknown"
component that would take an age of searching to find.

This logic is clearly flawed - if they have the dbase they presumably have
everything.

So I now understand more clearly - salts are there to

    
    
      1. pad out the plaintext to increase time to compute
    
      2. convert plaintext from commnly used words (pass1) to 
      unique plaintext, reducing the ease of cracking multiple
      passwords.
    

In short, salts help slow down the attacker when he has all your hashes. Just
like bcrypt et al.

And he was enlightened...

------
ahi
IANAL, but foreknowledge of patent infringement can triple damage liability
right? So is just having the headline of this story on the front page of HN
enough to cause problems for the entire HN community?

~~~
npc
IANAL either, but I assume that they would have to somehow prove that you read
it, perhaps by showing that you posted in the comments section.

~~~
user-id
Also, just because someone on the internet says "X is illegal", it doesn't
actually make X illegal.

------
ryanhuff
Its not the concept of blocking passwords that is patented, but specific
approaches to block common passwords is.

------
redact207
These frivolous software patents are actually a blessing in disguise and will
ultimately be their own undoing. As more and more "patents" are filed and
trolls do their best to sue people into compensation, the media song & dance
will get stronger and policy makers will sit up and take note. Then it's just
a matter of time until blanket reforms are made.

~~~
s8qnze982y
Blanket reforms will never happen in real world, because we're talking about
huge quantities of money involved - a blanket reform the way, say, "many
people would like it", would cause a sudden big loss to loss to big & powerful
entities.

~~~
xiaoma
Absolutely. That's why we're still firing union workers and working child
laborers thirteen hours a day. Once enough money was involved, things just
couldn't change and therefore patents never will either. Not in the real
world.

------
RyanONeill1970
Could someone clarify something here?

If I'm based outside of the US and my servers are outside of the US, these
software patents would not affect me and I could implement them without risk?

I understand the site could be blocked from US browsing but that would seem
extreme, especially if I registered a country TLD like .co.uk.

In plain English, I don't these patents apply to my country (UK) and are not
enforceable here. But I could be wrong.

~~~
xiaoma
There are patent treaties.

Edit: Well, who knows? Try it and see. Even in the worst case, you can almost
certainly cut a deal.

~~~
RyanONeill1970
Even when software patents are not allowed by law in the EU?

Edit: A quick Google found this, seems I would be OK.
[http://answers.onstartups.com/questions/21560/what-
happens-w...](http://answers.onstartups.com/questions/21560/what-happens-when-
a-uk-company-infringes-a-us-patent)

~~~
angry-hacker
Thinking about it - why big companies don't move then? To avoid software
patent cases? I mean they can still have skilled workers working in Silicon
Valley, can't they? But the company is registered somewhere where they can't
sue them. Or what am I missing here?

~~~
talmand
I would assume having an office in the country means a presence which means
they follow the law. Plus just doing any kind of business inside the country,
including contractors, makes them subject to local law.

------
JohnsonB
How could there not be prior art for this? I know that patents are more
specific than the title of the patent, but if the patent isn't general enough
to cover prior cases of blocking common passwords, then the patent doesn't
even protect anything for the patent's authors. If it is general, then it is
surely an invalid patent, even by US patent office standards. Very confusing.

~~~
Vivtek
Sure - so prove that in a court of law.

That's the problem. The patent system puts _all_ the risk on inventors, none
on IP holders.

------
thomasfrank09
I get why you'd want to check for weak or common passwords, but why not just
require passwords to contain numbers/special characters? It may be a pain in
the butt, but it takes users' lack of care for security out of the equation.

------
danielnicollet
time to reform the patent review process. there is so much energy wasted
fighting patent trolls. furthermore, this produces nothing, it just leaches on
the wealth creation efforts of others.

------
gonzo
Passwords are dead. Film at 11.

~~~
dredmorbius
I'm starting to think the same thing.

For _serious_ systems-based access, it's been key-based auth for most of the
past decade. Even embedded systems (switches, routers, load balancers, DD-WRT-
based WiFi routers) offer SSH key-based auth.

Key management presents its own set of problems, but most are vastly
preferably to using poorly-selected passwords on a myriad of sites.

~~~
acabal
I'm always tempted to switch to key-based auth myself, but I travel a lot and
the thought of me losing my private key and thus being permanently unable to
decrypt my files/log in to my servers scares me to death.

That's the fatal flaw in the key-based system: while the chances are slim, if
you lose the key or it gets stolen (stolen laptop?), the consequences far
outweigh the benefits. I'd rather just remembering a complex password for
personal encryption/ssh, use a simple throwaway password for general web app
use, and not have to worry about losing a key.

~~~
anonymouz
You can simply back up your key (encrypted with a password!) on a cheap USB
stick or CD you keep somewhere that you consider safe enough for your
purposes.

~~~
charliepark
Or on an encrypted server, like the "secure notes" feature of LastPass.

