您如何测试两个哈希(密码)是否相似? [英] How do you test if two hashes (passwords) are similar?

问题描述

用户创建密码时，我会对它(包括盐)进行哈希处理并将其保存在数据库中.

When a user creates a password I hash it (including a salt) and save it in the DB.

现在，当用户想要更改其密码时，我想测试新密码与旧密码是否过于相似(我已经在不同的服务(尤其是网上银行)上看到了这一点).

Now when the user wants to change his or her password I want to test if the new one is too similar to the old one (I have seen this done on different services, especially online banking).

所以，我想我会使用 similar_text 或 levenshtein 函数.如果用户必须输入他或她的旧密码，这将起作用.

So, I thought I will use the similar_text or levenshtein function. And this works if the user has to type in his or her old password.

但是，当用户忘记了密码并需要重设密码时，显然不必键入旧密码.因此，我需要将新密码与旧密码(保存在数据库中)进行比较，而我没有纯文本，而是散列.

But when the user has forgotten their password, and they need to reset it, the obviously don't have to type in their old password. So I would need to compare the new password with the old password (saved in the DB), which I don't have in plain text but a hash.

现在，当我使用相同的盐对新密码进行哈希处理，并将其与旧密码(哈希)进行比较时，我显然无法测试新密码和旧密码是否相似.

Now, when I hash the new password using the same salt, and compare it with the old password (hashed), I obviously cannot test whether or not the new and old password are similar.

我只是想知道公司在不将密码以纯文本格式保存在数据库中时如何做到这一点?

I am just curious to find out how companies do that, when they don't save the password as a plain text in the DB?

我在Google上找不到任何有用的东西.如果任何人有任何建议，或者有指向更详细讨论此事的文章的链接，我希望能与他们分享.

I couldn't really find anything helpful on Google. If anyone has any suggestions, or links to articles that discuss this in more detail, I'd appreciate it if they could share them.

推荐答案

测试存储的密码是否经过哈希处理(而不是加密)的相似性的一种方法是生成许多可能的新密码排列，并对排列进行哈希处理，然后查看其中的任何哈希是否与存储的哈希相对应.

One approach to test for similarity if the stored password is hashed (rather than encrypted) is to generate a number of likely permutations of the new password, hash the permutations, and see if any of those hashes correspond to the stored hash.

生成排列的规则与禁止相似性的规则相同.

The rules for generating permutations would be the same as the rules for disallowed similarities.

OLD

password1

新

password2

PERMUTATIONS

password
password1   // This permutation's hash matches the stored hash.
password3
1password
etc...

这篇关于您如何测试两个哈希(密码)是否相似?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！