OWASP - ASVS: Forgot Password

(srinivas) #1

If the password is salt hashed
and not decryptable. Still can we do the check if password is already used by same person?
So, we wont allow the user to use the same password used already in the application.

(Butch Mayhew) #2

My first question would be why would you prevent the same password from being used? Maybe there is a use case for it, but I don’t see how that scales well. With 100 users you may not run into issues but what happens when there are 1,000,000 users. In answer to your question it depends on if the password is salt hashed or randomly salt hashed. See article - https://security.stackexchange.com/a/66992 If the salt is the same on all passwords you should be able to compare the encrypted values and see duplicate passwords. If the salts are random then you will not be able to check for duplicate passwords.

(srinivas) #3

Yes. I was asking on Random Salt if used.

Thank you.