Page 1 of 1

Check if password exists when signing up

Posted: Sat Oct 15, 2011 3:37 pm
by lewisp.cox
What I want to know is if there is a way in PHP to find if the password that the user has submitted is in use by someone else?

I tried googling and looking round a few forums but I couldn't find anything. I'm relatively new to PHP, that meaning I'm only building a localhost project site to learn. I have all of the basics sorted and some of the advanced.

Any help would be much appreciated :D

Re: Check if password exists when signing up

Posted: Sat Oct 15, 2011 3:43 pm
by Celauran
Possible? Sure. If you're using per-user salts -- and if you're not, you should be -- it's also likely going to be considerably more trouble than it's worth. Moreover, what happens if a match is found? Alerting the using is giving them someone else's password. Sure, you're not saying whose password, but it still strikes me as a pretty bad idea.

Re: Check if password exists when signing up

Posted: Sat Oct 15, 2011 3:45 pm
by lewisp.cox
I suppose I'd better get learning my JavaScript then!!

Re: Check if password exists when signing up

Posted: Sat Oct 15, 2011 3:48 pm
by Celauran
I'm not sure I follow.

Re: Check if password exists when signing up

Posted: Sat Oct 15, 2011 3:50 pm
by lewisp.cox
To see if it's easier to check in JavaScript than it is in PHP. The only reason I don't want to do it in JavaScript is because I haven't learnt it yet.

Re: Check if password exists when signing up

Posted: Sat Oct 15, 2011 3:51 pm
by Celauran
It won't be any easier in JS, nor will it be any better an idea. If you insist on doing it, just run the submitted password through whatever hashing algorithm you're using and query the database for matches. Per-user salts are going to complicate this, mind you.

Re: Check if password exists when signing up

Posted: Sat Oct 15, 2011 3:57 pm
by lewisp.cox
Sorry, I don't follow you with per-user salts?

Re: Check if password exists when signing up

Posted: Sat Oct 15, 2011 4:04 pm
by Celauran
Rather than -- or, better still, in addition to -- using one predefined salt for every user, each user can have their own salt. time() of account creation works as an example. So rather than hash_function(salt + password), you would have hash_function(common salt + password + individual salt).

Re: Check if password exists when signing up

Posted: Sat Oct 15, 2011 4:20 pm
by lewisp.cox
Awesaome, thanks. I'll see if I can use this and put it into practice.

Re: Check if password exists when signing up

Posted: Mon Oct 17, 2011 10:27 am
by pickle
Don't do this.

You seem to have breezed over the very good point that ~Celauran made - if you say a password can't be used because it already exists, then you are giving out someone's password. 50% of you security has just been thrown out the window. It's not the uniqueness of the password that matters, but the uniqueness of the username/password combination.

Re: Check if password exists when signing up

Posted: Mon Oct 17, 2011 10:29 am
by Apollo
lewisp.cox wrote:What I want to know is if there is a way in PHP to find if the password that the user has submitted is in use by someone else?
If this is even possible at all, it's a indication of bad security on your end.