Identifying password similarity without storing in plain text?

Question

One of my SaaS software vendors requires me to change passwords every 90 days, which is good.

What surprises me though, is that the password change screen errors with a note that my new password is too similar to an old password.

This most often happens if I change less than three or four of the characters within a password.

If it were an exact match to an old password, I would have confidence that they are hashing my password, and comparing the hashes. The "similarity" matching makes me think they are storing and comparing the plaintext versions.

Is it possible to determine "similarity" by comparing one hash to another, or is this vendor more likely storing my password in plain-text?

Answer 1

It's possible. Whenever you change the password, the software could create hash codes for all combinations of the same password with a few characters masked or removed.

If your password is hello, it could create hash codes for _ello, h_llo, he_lo, hel_o, hell_, __llo, _e_lo, _ell_, he_l_, he__o... et.c.

The next time you change the password, it can create the same set of combinations of that password, and compare to all the previous hash codes. If there is a match, only a few characters were changed.

It's a lot simpler to just save the passwords in plain text, of course.

Answer 2

This depends whether they are checking all old passwords, or just your last one.

The last one will be available in memory if you had to enter your old password in order to set a new one. A form usually asks for three inputs: old password, new password and confirm new password.

If they are storing your last few passwords in hashed form, they would be able to check these for an exact match, and they could check your previous password for similarities using an algorithm using the old password that you just re-entered.