Check if password exists when signing up

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
lewisp.cox
Forum Newbie
Posts: 10
Joined: Sun Jan 02, 2011 11:29 am

Check if password exists when signing up

Post by lewisp.cox »

What I want to know is if there is a way in PHP to find if the password that the user has submitted is in use by someone else?

I tried googling and looking round a few forums but I couldn't find anything. I'm relatively new to PHP, that meaning I'm only building a localhost project site to learn. I have all of the basics sorted and some of the advanced.

Any help would be much appreciated :D
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Check if password exists when signing up

Post by Celauran »

Possible? Sure. If you're using per-user salts -- and if you're not, you should be -- it's also likely going to be considerably more trouble than it's worth. Moreover, what happens if a match is found? Alerting the using is giving them someone else's password. Sure, you're not saying whose password, but it still strikes me as a pretty bad idea.
lewisp.cox
Forum Newbie
Posts: 10
Joined: Sun Jan 02, 2011 11:29 am

Re: Check if password exists when signing up

Post by lewisp.cox »

I suppose I'd better get learning my JavaScript then!!
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Check if password exists when signing up

Post by Celauran »

I'm not sure I follow.
lewisp.cox
Forum Newbie
Posts: 10
Joined: Sun Jan 02, 2011 11:29 am

Re: Check if password exists when signing up

Post by lewisp.cox »

To see if it's easier to check in JavaScript than it is in PHP. The only reason I don't want to do it in JavaScript is because I haven't learnt it yet.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Check if password exists when signing up

Post by Celauran »

It won't be any easier in JS, nor will it be any better an idea. If you insist on doing it, just run the submitted password through whatever hashing algorithm you're using and query the database for matches. Per-user salts are going to complicate this, mind you.
lewisp.cox
Forum Newbie
Posts: 10
Joined: Sun Jan 02, 2011 11:29 am

Re: Check if password exists when signing up

Post by lewisp.cox »

Sorry, I don't follow you with per-user salts?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Check if password exists when signing up

Post by Celauran »

Rather than -- or, better still, in addition to -- using one predefined salt for every user, each user can have their own salt. time() of account creation works as an example. So rather than hash_function(salt + password), you would have hash_function(common salt + password + individual salt).
lewisp.cox
Forum Newbie
Posts: 10
Joined: Sun Jan 02, 2011 11:29 am

Re: Check if password exists when signing up

Post by lewisp.cox »

Awesaome, thanks. I'll see if I can use this and put it into practice.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Check if password exists when signing up

Post by pickle »

Don't do this.

You seem to have breezed over the very good point that ~Celauran made - if you say a password can't be used because it already exists, then you are giving out someone's password. 50% of you security has just been thrown out the window. It's not the uniqueness of the password that matters, but the uniqueness of the username/password combination.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Check if password exists when signing up

Post by Apollo »

lewisp.cox wrote:What I want to know is if there is a way in PHP to find if the password that the user has submitted is in use by someone else?
If this is even possible at all, it's a indication of bad security on your end.
Post Reply