You’re not supposed to have the old password. If you had the old password you could just compare it to the new password.
The only way you can do it is to take the new password and make a hash for every possible single-character variation and compare them all to the old hash
They shouldn’t be storing the old password hashed, either. Expired password hashes should be destroyed like any other potentially-sensitive information that is no longer business critical.
There is a reason hackers look to get users tables even though the passwords are hashed. Because with enough of them and enough time, they can usually figure out plaintext. Giving them 10 previous hashed passwords for each user is just increasing the hypothetical risk.
Sorry, that’s what I meant as well :) Came out upside down when I wrote. We used to figure out shitty ISP router passwords this way by having a table of common passwords and their hashes.
How would they know how many digits changed? They don’t store the password in cleartext.
Right?
…
You could take the old password, change one or two letters and compare the hash to the hash of the new password?
That’s the point though.
You’re not supposed to have the old password. If you had the old password you could just compare it to the new password.
The only way you can do it is to take the new password and make a hash for every possible single-character variation and compare them all to the old hash
They shouldn’t be storing the old password hashed, either. Expired password hashes should be destroyed like any other potentially-sensitive information that is no longer business critical.
There is a reason hackers look to get users tables even though the passwords are hashed. Because with enough of them and enough time, they can usually figure out plaintext. Giving them 10 previous hashed passwords for each user is just increasing the hypothetical risk.
You’re right ofc if you wanted to make a general remark, but wrong if you thought that was what I was implying. Never store hash histories, kids!
Sorry, that’s what I meant as well :) Came out upside down when I wrote. We used to figure out shitty ISP router passwords this way by having a table of common passwords and their hashes.