Check if entered password is hashed

Question

The scenario is like this:
password return into input field as hashed password,
1 - first user does not update password; in this case just return the current hashed password,
2 - else user update his/her password then hash the new password and then save it in database.
So how to check returned password is hashed or not?

Code:

public int UpdatePrivilege(User user, int changerId, string pwd)
{
    if (user.pwd == pwd) //how to check if hashed or not.
    {
        user.pwd = _Md5Hash(user.pwd);
    }
    return dalc.Update(user, changerId);
}

Secondly, let's say user does not update password; does old password will maintain as it is after saving process?

Answer 1

I think it is a single responsibility issue. Your method should only do one thing. Either check the password if it is correct, change the password if needed or check if it is changed.

Just by receiving a string it is not possible to decide if it is hashed or not. You could do some limitations to the password itself, lets say not longer than 30 characters and then make sure the hash is always longer than 30 (or password must contain special characters that the hash cannot), but this would not always work and would not be a good idea either.

I would suggest to create separate methods for each functionality. IE: hashing password, changing password, checking password.

I hope this helps.

Answer 2

You are in the wrong direction. Consider the following case:

1. My password is abc, which will be hashed (let's say MD5) and stored in database like 75d22b7a1b5be026653445831b9f0c61.

2. When I open the page, the hashed string will used (maybe in the UI code).

3. I change my password from abc to 75d22b7a1b5be026653445831b9f0c61.

4. Your code gets my new password and judges it's unchanged. WRONG.

You can never tell if a user has changed his password from the password text, only the UI code (let's say javascript in web apps) knows that. You should let the UI code tell the back-end if it's changed.