Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

On the Pro Webmasters StackExchange site, someone asked a question about a webap

ID: 648532 • Letter: O

Question

On the Pro Webmasters StackExchange site, someone asked a question about a webapp (in this case cPanel) that refused to allow a password change because it was too similar to a previous password. I suggested that the app might be storing hashes of portions of the password.

I was going to ask whether, assuming that an app is storing hashes of portions of a password (i.e. substrings of the full password string), would doing so be less secure than just storing a single hash, but after typing out the question, I realize that it definitely would be less secure. In the most extreme case, i.e. storing a 'hash' of ever character in the full password string, an attacker could trivially recover the original password.

Is there a way to store a password securely that still allows similarity comparisons to be made?

Explanation / Answer

Storing passwords in such a way as to allow comparison against portions of the hashed password is by definition less secure than traditional cryptographic hashing. As a rule, this is simply never done.

On the other hand, you could safely make comparisons of portions of your new password (for which you necessarily have the plain text) against the entirety of an old hash, and such comparisons are done today by some existing software.

To address your original point, to the best of my knowledge, cPanel does not do what you suggest. It has the option of storing certain kinds of passwords reversably encrypted for use with digest authentication, but this is not the default. All other password storage is done through the underlying product's default hashing mechanism (be it MySQL's hashing, shadow file, etc).

The discussion may have confused cPanel with Plesk, which until very recently stored all passwords in plain text in a MySQL database. Yes, really.

Related Questions

On the Apollo 14 mission to the moon, astronaut Alan Shepard hit a golf ball wit
Question #1277158
On the Apollo 14 mission to the moon, astronaut Alan Shepard hit a golf ball wit
Question #1284665
On the Apollo 14 mission to the moon, astronaut Alan Shepard hit a golf ball wit
Question #1284667
On the Apollo 14 mission to the moon, astronaut Alan Shepard hit a golf ball wit
Question #1329719
On the Apollo 14 mission to the moon, astronaut Alan Shepard hit a golf ball wit
Question #1332038
On the Apollo 14 mission to the moon, astronaut Alan Shepard hit a golf ball wit
Question #1341785
On the Apollo 14 mission to the moon, astronaut Alan Shepard hit a golf ball wit
Question #1361997
On the Apollo 14 mission to the moon, astronaut Alan Shepard hit a golf ball wit
Question #1414719
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
On the Perceptual Map, all segments drift to the lower right. Which segment drif
Next
On the Retirement Savings sheet, what is the name of the best function to enter

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.