2

I want to keep track of user password change history, and display a warning if their current password is used by them before. To note, I don't want to prevent a user from setting a password if it is used before, I want to let them set the password, but just display a warning afterwards. So what I'm looking for is NOT a password validator.

I know that while Django saves user passwords in the db, it creates a hash of the password, using a random salt. So 2 hashes of the same password will not be the same. Still, is it possible to tell if 2 different password hashes are created with the same raw password as the input?

Ozgur Akcali
  • 5,264
  • 2
  • 31
  • 49
  • For this you need the raw (unhashed) password; you can then hash it with the same random salt as an old password and see whether the hashes match. It's not possible if all you have are the hashes. – deceze Mar 11 '20 at 13:03
  • @deceze yes in my case all I have are the hashes. If you can post an answer explaining the impossiblity of this I can accept. – Ozgur Akcali Mar 11 '20 at 13:04

2 Answers2

4

I don't know that, I understood your situation correctly or not. Here is the solution based on what I understood from your question. You can compare the new password with the password which is already in use by using the check_password() method which is associated with the User model in Django.

 @api_view(['POST'])
 def some_function(request):
    new_password = request.data.get('password')
    # get the user from the request
    user_object = request.user
    if user_object.check_password(new_password):
       # check_password() will hash the new_password in the same way how it hashed the password which is already stored in the db and it will compare the new_password with that password.
       print("Both the passwords are same")
    else:
       print("Passwords are not same")

If the request is not authenticated then it is not possible to get the user from the request. On that case this code will not work.

Hope it will give the solution to your problem.

Balasundar
  • 141
  • 6
  • I don't have access to the raw passwrod when I want to make the comparison. In my situation, I only have 2 different password hashes, and want to know if those hashes are created with the same raw password – Ozgur Akcali Mar 11 '20 at 13:33
  • check this link. It may help you https://stackoverflow.com/questions/21031661/how-do-you-test-if-two-hashes-passwords-are-similar – Balasundar Mar 11 '20 at 13:42
  • Thanks, though its not the same case, it gives some ideas – Ozgur Akcali Mar 11 '20 at 13:58
4

If you don't have access to the plaintext password and all you have are the hashes, you cannot make any comparisons between them. That's precisely on purpose to make the passwords irreversible, and especially entire databases of them. You may be able to brute-force one password given enough time and computing power, but you can't apply that knowledge to any other hashes, so brute-forcing an entire database of them is prohibitively expensive.

You could make such comparisons at the time of registration, login or password reset, when the user has input their plain password. At that point, you just need to hash the password with the salt of the existing one(s) and then compare the hashes.

deceze
  • 510,633
  • 85
  • 743
  • 889