7

I am still very new to Information Security field and as far as I know, websites use hashing algorithm on user's passwords before storing it and they don't know the plain-text password of a user.

Today, I tried to change my Facebook password but I got this error,

enter image description here

Even I don't remember my old password so how could facebook know what was my old password ?

Riley Willow
  • 1,139
  • 9
  • 11

2 Answers2

4

We do not know how exactly Facebook manages user passwords, however, we can imagine this scenario:

A new user logs into his Facebook account using the password: Password1. It is likely that, immediately, Facebook generates similar passwords such as: Passw0rd1. pAssword2, Passmord1 ...etc.

Facebook then stores their respective hashes (which are different, of course) so that if a user user types his password (after reset), the hash of the new password is compared to all these stored hashes: Facebook can tell you then if your new password is similar to the previous one or not.

EDIT:

Following @Philipp comment saying Facebook does not hash passwords, I want to share this information that I quoted from the official Facebook documentation (Keeping Passwords Secure):

We hash each password using our internal password hashing algorithm and the unique salt for that person. Since Facebook stores passwords securely as hashes, we can't simply compare a password directly to the database. We need to hash it first and compare the hashes.

Community
  • 1
  • 4
    but as far as I remember even if we change the single character in password, the entire hash is changed...isn't that true ? – Riley Willow Oct 04 '15 at 12:34
  • 2
    @Begueradj, but isn't it a bad security practice to store multiple hashes of user's similar password in your database ? wouldn't that make cracking password easier in case if your database is compromised ? – Riley Willow Oct 04 '15 at 13:01
  • 1
    maybe Facebook does it locally! I mean when you enter your password, the HTML page on your machine replaces some letters, hashes them and send the hashes. I think you should ask someone who is professional at HTML programming :/ – Eibo Oct 04 '15 at 13:02
  • 2
    HTML is not programming – Riley Willow Oct 04 '15 at 13:02
  • 1
    Web programming. whatever it is ... you got the point ! – Eibo Oct 04 '15 at 13:03
  • 1
    @Philipp Check my edit: Facebook itself says it hashes user passwords –  Oct 04 '15 at 16:56
  • Why would it need to store the hashes? It takes the second password, then changes it, creates a hash, compares that hash to the stored hash, and if they are the same the password is too similar. So it stores hash(password1), you set the new password to password2, and it compares hashes for password1, password3 etc. – SPRBRN Oct 05 '15 at 07:24
  • @SPRBRN As I said, what I described in my answer is just a possible scenario: Facebook won't let us know how they precisely manage user passwords. Do not take my answer as the right thing Facebook is doing, it is just a possible scenario that leads to the situation of the OP's question. –  Oct 05 '15 at 07:30
  • I don't say they do. I just explained that they don't need to store those other hashes. It doesn't matter if you generate those hashes based on the old or the new password. So when you make those hashes based on the new password, you can compare them on the spot and throw them away. – SPRBRN Oct 05 '15 at 08:17
  • @SPRBRN The OP did not ask just about the resetting (in which your scenario is likely to be true), but about using accidentally one of his previous old passwords –  Oct 05 '15 at 10:28
  • In your answer you say: "Facebook then stores their respective hashes". My comment is about this alone. It would be bad practise to store the hashes as they can be created when the new password is entered. – SPRBRN Oct 05 '15 at 10:42
1

The technical details are given in brief but Facebook does use hashing with unique salts. The plain text passwords are hashed with undisclosed algorithm(as Facebook has not revealed it) and then prefixed or postfixed with unique salt and compare it. If it matches then the user gets the green light otherwise no. In case, of similar password, may be Facebook use pre-computed and predicted hashed passwords like replace a with @ or i with 1 or replacing alphabet/s with Upper or lower case. It's given here in brief.

mud1t
  • 102
  • 4