How Not to Check Passwords

So I found this piece of code today:

public final boolean isValidPassword(String password) {
String inputHash = Crypto.hash(password);
String correctHash = getPasswordHash();
return inputHash.equals(correctHash);
}

I am not quite sure what the thought process was behind this — getPasswordHash is a method that simply retrieves a field from the database, hashes the password given, and then uses String.equals() to compare the two.

Why on earth would someone do this instead of just checking the password? I totally understand if the getPasswordHash() method salted the password, or something, but it does not…….

Comments are closed.