Reputation: 359
How to compare substrings of a text with a hashed password
I am trying to compare some text that the user enters in with a hashed password, to see if they are similar at all. Ex: if the inputted text is: pass1234 and if the unhashed password is: mypass64, then that would count as a pass.
There are a couple of ways that I have thought about doing this, but I would like to make sure that I choose the correct or best one.
Here are some of the options that I thought about so far:
1) I could hash the inputted text and compare the substrings of that with the substrings of the already hashed password, to see if they share any common substring
2) Somehow reverse the hashed password and compare the plain text password with the inputted text and see if any common substrings exist (not sure if this is good practice or not)
I am currently leaning towards the first option, since I think minimizing the amount of time that the user's password is unhashed will reduce the window and opportunity for an attack.
Are any of these options a correct way to check if a text is similar to a hashed password?
Edit: The whole purpose of this is so that I can prevent the user from entering a similar password to their new one, if they want to change or reset their password.
Upvotes: 0
Views: 196
Answers (2)
Reputation: 637
your assumption that some substring of a given full password string will have similar hash as password that's wrong. you are most likely creating the md5.. so that option is out of scope.
for #2) if you can reverse engineer that md5 password ( i hope it is ) , than there are bigger problems in this world than yours. :) < i dont think it is possible to reverse engineer md5 hash with normal computer, may be super computer can.
It is unclear to me why you would let them pass, with partial password, what if they just type "s" or "a" -- one char only..
Only way I can think of is you create your own encryption with cryptography and decrypt it your self.
Upvotes: -1
Reputation: 6395
I would be surprised if there is any way at all. That would completely wreck the security of hashing - the whole idea of a hash is that similar inputs give dissimilar hashes.
Upvotes: 4
Related Questions
- Algorithm searching substring difference
- How to check match for salted and hashed password
- Checking if a string hash contains a substring hash
- Comparing long strings by their hashes
- Comparing passwords not working Java
- Comparing substrings in Java
- Check for a specific set of characters(of a password) in a string
- Java Hashing Password Doesn't Match
- Java compare string with hash and without hash
- Java compare SHA-256 hashed string with a password clear text string