Identifying password similarity without storing in plain text?

Asked 8/12, 2014 at 20:17 Answered 9/12, 2022 at 16:13

One of my SaaS software vendors requires me to change passwords every 90 days, which is good.

What surprises me though, is that the password change screen errors with a note that my new password is too similar to an old password.

This most often happens if I change less than three or four of the characters within a password.

If it were an exact match to an old password, I would have confidence that they are hashing my password, and comparing the hashes. The "similarity" matching makes me think they are storing and comparing the plaintext versions.

Is it possible to determine "similarity" by comparing one hash to another, or is this vendor more likely storing my password in plain-text?

Animatism answered 8/12, 2014 at 20:17 Comment(0)

It's possible. Whenever you change the password, the software could create hash codes for all combinations of the same password with a few characters masked or removed.

If your password is hello, it could create hash codes for _ello, h_llo, he_lo, hel_o, hell_, __llo, _e_lo, _ell_, he_l_, he__o... et.c.

The next time you change the password, it can create the same set of combinations of that password, and compare to all the previous hash codes. If there is a match, only a few characters were changed.

It's a lot simpler to just save the passwords in plain text, of course.

Bind answered 8/12, 2014 at 20:34 Comment(0)

This depends whether they are checking all old passwords, or just your last one.

The last one will be available in memory if you had to enter your old password in order to set a new one. A form usually asks for three inputs: old password, new password and confirm new password.

If they are storing your last few passwords in hashed form, they would be able to check these for an exact match, and they could check your previous password for similarities using an algorithm using the old password that you just re-entered.

Mccomas answered 10/12, 2014 at 12:58 Comment(1)

This is a really excellent point. I think this is the best solution. – Adscription 9/12, 2022 at 15:58

In all likelihood they are storing the plain text. With a good hashing algorithm there should be no correlation between the original content and the hash value (that is what makes it good).

It is possible they are storing some characteristics of the original password to use as reference. For example the counts of characters, any numeric value, etc., and then comparing to that but I doubt it.

Sonnnie answered 8/12, 2014 at 20:22 Comment(0)

One way to do this is by reducing the space of the password.

For example, if you think that "Hello" and "h3LL0" are similar, then you can make a reduce() function that changes the string to uppercase and changes all vowels and digits to @. Both "Hello" and "h3LL0" will be reduced to "H@LL@".

In the database you need to store hash() of the current password and hash(reduce()) of the current and all previous passwords.

You can design any policy of similarity you want, as long as you can make a suitable reduce() function.

Adscription answered 9/12, 2022 at 16:13 Comment(0)

Recommended topics

Hot tags