How Not to Check Passwords

So I found this piece of code today:

public final boolean isValidPassword(String password) {
String inputHash = Crypto.hash(password);
String correctHash = getPasswordHash();
return inputHash.equals(correctHash);
}

I am not quite sure what the thought process was behind this — getPasswordHash is a method that simply retrieves a field from the database, so this method gets the password has from the database, hashes the password given, and then uses String.equals() to compare the two.

Why on earth would someone do this instead of just checking the password? I totally understand if the getPasswordHash() method salted the password, or something, but it does not…….

Comments are closed.