2

I have a project where I need to do an account merge across two websites.

Some percentage of users have accounts on both sites (same email address). Rather than just assume that two accounts with the same email address are the same identity, we'd like to go one step further and compare password hashes.

Both websites are on the same eCommerce platform, just 2 differently branded sites which we're consolidating into one. The hashing function is the same on both sites (SHA256) however we use different SALT's on each site.

For example:

SITE#1
password(1) = hello
salt(1) = abc123
hash(1) = 1a1A1a1A1a1A

SITE2
password(2) = hello
salt(2) = xyz456
hash(2) = 2b2B2b2B2b2B

Given just salt(1), hash(1), salt(2), hash(2), is it possible to verify that that password(1) and password(2) are the same? i.e I don't need to decrypt, just need to confirm that the two passwords are the same?

Improve this question
3
  • 3
    You can't, the question is, why would you? Commented Mar 28, 2018 at 14:41
  • 1
    Even if you could check whether the passwords are the same (you can't), other than "because users are lazy" what makes you think they'd be using the same password on both sites? Commented Mar 28, 2018 at 14:53
  • You mention that you use different salts on each site. I hope that you mean that you use a random salt for every password. Having a single salt for an entire site is not appropriate password storage. Commented Mar 28, 2018 at 14:58

2 Answers 2

Reset to default
6

You can't. That's kinda the point of a salt.

If you could tell two passwords with different salts were the same, then attacks using pre-computed hashes would still be possible, and salts would be pretty useless.

You would need the original password to verify both salted hashes are derived from the same password.

Improve this answer
2

The design of the system is that you cannot do this without knowing the original password. The security goal is that you cannot test a password any faster than the hash. If you can do an equivalency between the two faster than hashing, then you have a way to figure out the password faster than hashing it.

As an additional comment, I hope that the hashes are unique per user, not unique to the sites

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.