Geek Answers Handbook

How do you check if two hashes (passwords) are similar?

When the user creates a password, I transfer it (including salt) and save it in the database.

Now that the user wants to change his password, I want to check if the new one is too similar to the old one (I saw this in different services, especially in the online bank).

So, I thought I would use a similar_text or levenshtein . And this works if the user must enter their old password.

But when the user forgot his password, and they need to reset it, obviously, you do not need to enter your old password. Therefore, I will need to compare the new password with the old password (stored in the database), which I do not have in the normal text, but a hash.

Now, when I use the new password using the same salt and compare it with the old password (hashed), I obviously cannot check if the new and old password are similar.

I'm just curious to know how companies do this when they don’t save the password as plain text in the database?

I could not find anything useful on Google. If anyone has suggestions or links to articles that discuss this in more detail, I would appreciate it if they could share them.

+6
source share
3 answers

One approach to checking for similarity, if the stored password is hashed (and not encrypted), is to generate a series of probable permutations of the new password, hash permutations and see if any of these hashes match the stored hash.

The rules for generating permutations will be the same as the rules for unacceptable similarities.

OLD

 password1

NEW

 password2

Permutations

 password password1 // This permutation hash matches the stored hash. password3 1password etc...
+9
source

After hashing two almost identical lines (say, one bit of the other) will have a completely different hash ... And it is possible that two completely different lines will have a similar hash.

You cannot verify password similarity when hashing or encrypting passwords. You can only check if the password is equal.

In addition, you should not restore the old password. The policy is that the user should always create a new password when he does not remember the old one. If you allow them to recover / guess their password, you also help attackers crack user passwords.

+1
source

When generating a new password, people usually create a random string for the password and send it to the user (by email or SMS or something else) and hash this line and store the hashed password in the database.

You do not need to recover the OLD password. Hashing methods, such as md5() , cannot be decrypted or restored, so we use them to avoid hacker decryption.

0
source

More articles:


All Articles