SAP NetWeaver has a password policy to prevent your new password beeing similiar to the last 5 passwords.
Are the passwords stored in plaintext to verify this?
Or is something like a soundex value stored?
Asked
Active
Viewed 2,850 times
1
-
Password being similar or matching? – Muhammet Feb 23 '16 at 09:35
-
@Muhammet SAP only checks for strict match for older passwords but it can have other types of policies for your last password since it has access to it in plaintext after you enter it in. – Silverfox Feb 23 '16 at 09:48
-
@Silverfox Yes, exactly. – Muhammet Feb 23 '16 at 09:52
2 Answers
6
They don't need to have the passwords in plaintext to be able to verify that.
They could be using the best practices(PBKDF2) and still be able to spot password re-use.
You have the password hash, the salt and number of iterations(e.g salt:iterations:hash). So all they have to do is keep the last 5 passwords run through PBKDF2 stored somewhere and run the same algorithm on new passwords along with the salts of old passwords and they can determine if the password was used before or not.
The downside here is that you can only check for exact match and even if a single character's capitalization has changed you won't be able to verify that for older passwords, but since you have to enter the current password to be able to change your pass, the application can have access to plaintext version of it at that moment and have more strict checks on your very last password. And this is what SAP does, you can't enter the exact same passwords you had before and you can also enforce the user to change at least "n" characters from their previous password in their new one. (Reference)
Hash algorithms have pseudorandom output and changing a single bit in the input makes unpredictable changes to the output. So apart from using salts, iterations or whatever even in case of simple hash algorithm use like md5 or sha-1, there is no way to measure the similarity between inputs, only having access to the hash output.
Silverfox
- 3,369
- 2
- 19
- 39
-
If my password was "smith1" I cannot chose the password "smith2" next. It must be more than exact match comparison. – Daniel W. Feb 23 '16 at 10:21
-
1As you enter smith1, the application checks if it's valid, and then since you just entered it, the application knows what your current password is in clear-text and it simply compares that with the new password which is smith2 and is only one character different. But if your second previous password was smith1 then you changed it to bob1, now you'd be able to choose smith2. – Silverfox Feb 23 '16 at 10:23
-
1I think that's it! the similiarity comparison only happens between the current and new password, not with the other, older passwords! – Daniel W. Feb 23 '16 at 10:46
2
EDIT: The question was asking how matches are detected, the answer below is for similarity:
When using a good hashing algorithm, same or similar passwords will never have the same hash value. You can't check hashes for similarity, only for equality.
They could be using something like fuzzy hashing to check fundamental level of similarity which gives the percentage of similarity.
Muhammet
- 376
- 1
- 5
-
Having access to the salt and the iteration count (if there is any) you can verify the equality and I believe that's what the mentioned application does and that's how the system verifies the entered password in the first place. – Silverfox Feb 23 '16 at 09:35
-
@Silverfox Yes, it's a bit unclear, because title says "match" where the question itself says "similar". – Muhammet Feb 23 '16 at 09:38