Menu
When a user creates a password I hash it (including a salt) and save it in the DB.
Now when the user wants to change his or her password I want to test if the new one is too similar to the old one (I have seen this done on different services, especially online banking).
So, I thought I will use the similar_text or levenshtein function. And this works if the user has to type in his or her old password.
But when the user has forgotten their password, and they need to reset it, the obviously don't have to type in their old password. So I would need to compare the new password with the old password (saved in the DB), which I don't have in plain text but a hash.
Now, when I hash the new password using the same salt, and compare it with the old password (hashed), I obviously cannot test whether or not the new and old password are similar.
I am just curious to find out how companies do that, when they don't save the password as a plain text in the DB?
I couldn't really find anything helpful on Google. If anyone has any suggestions, or links to articles that discuss this in more detail, I'd appreciate it if they could share them.
791
The first is the compare() method which just like the hash() function returns a promise. Its first parameter is the unhashed password entered manually or through a login form. The second parameter is a string or rather the stored password in the database.
When hashing passwords, two passwords can produce the same hash, so if a user inputs someone else's username but his own password, there is a possibility that he will be able to login to that other account.
You will need to verify the user passwords to see if they match the passwords stored in the database. To do this, we call check() on the Hash façade. The check() method verifies if the plain-text string entered by the user matches the given hash. The code above uses the Hash facade alongside the check() method.
There are many great tools available to crack password hashes such as rainbowcrack . This tool uses rainbow tables to crack hashes. Rainbow tables are used for longer passwords. The way they work is by using hash and reduction functions.
One approach to test for similarity if the stored password is hashed (rather than encrypted) is to generate a number of likely permutations of the new password, hash the permutations, and see if any of those hashes correspond to the stored hash.
The rules for generating permutations would be the same as the rules for disallowed similarities.
OLD
password1
NEW
password2
PERMUTATIONS
password
password1 // This permutation's hash matches the stored hash.
password3
1password
etc...
After hashing two almost identical string (let's say one bit different) will have totally different hash... And it is possible that two totally different strings will have similar hash.
You cannot check password similarity when you are using password hashing or encryption. You can check only if the password is equal.
Plus you shouldn't restore old password. The policy is that user should always create a new password when he doesn't remember the old one.. If you allow them to restore/guess their password you are helping also attackers with cracking users passwords.
26
In generating new password people usually create a random string for password and send it to user (by email or sms or anything else), and hash that string and save the hashed password in database.
you don't need to restore OLD password.hashing methods like md5() cannot be decrypted or restored, that is why we use them , for avoiding decryption by a hacker.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
