When a user creates a password I hash it (including a salt) and save it in the DB.
Now when the user wants to change his or her password I want to test if the new one is too similar to the old one (I have seen this done on different services, especially online banking).
So, I thought I will use the similar_text or levenshtein function. And this works if the user has to type in his or her old password.
But when the user has forgotten their password, and they need to reset it, the obviously don't have to type in their old password. So I would need to compare the new password with the old password (saved in the DB), which I don't have in plain text but a hash.
Now, when I hash the new password using the same salt, and compare it with the old password (hashed), I obviously cannot test whether or not the new and old password are similar.
I am just curious to find out how companies do that, when they don't save the password as a plain text in the DB?
I couldn't really find anything helpful on Google. If anyone has any suggestions, or links to articles that discuss this in more detail, I'd appreciate it if they could share them.
One approach to test for similarity if the stored password is hashed (rather than encrypted) is to generate a number of likely permutations of the new password, hash the permutations, and see if any of those hashes correspond to the stored hash.
The rules for generating permutations would be the same as the rules for disallowed similarities.
OLD
password1
NEW
password2
PERMUTATIONS
password
password1 // This permutation's hash matches the stored hash.
password3
1password
etc...