How does google use the best guess of a previous password?-CodePudding

As we all know Password hashing is used to ensure the integrity of passwords , in other words the password is decrypted and almost can't be reversed ( unless you have unlimited computing power). the following lines are just copied from google support page :

 If you can't confidently recall any previous passwords: Take your best
 guess.

Hashes of two passwords even if they are so close can't be compared . So what's the point of asking someone for a guess ! How google uses the best guess to make sure that this account belongs to someone ? Do they use their super computers to break the hashes and the compare it with the best guess ?

CodePudding user response：

It's likely that this is less about variants of a specific password, but instead about different passwords.

This is just speculation, but Google probably stores a small amount of password history, and takes your knowledge of a previous password as a weak signal that you are the account holder, and adjusts the rest of the workflow accordingly.

(Well, not entirely speculation - I've done this workflow a few times, and it did know some of my previous passwords. They just all happened to be entirely different from each other, not variations.)

CodePudding user response：

I have a guess/idea of how that might be achieved...

On entering an incorrect password, initially the hash will be compared to the stored value and fail the test. As the question points out, variations of the hash would not be helpful in seeing if the failure was due to a miss-remembered but 'similar' password.

On failure, when the 'best guess' is offered, it would be relatively computationally inexpensive to mutate the incorrect plain text string and hash the results for comparison. In principle, the mutation could even be done on the client machine.

Google has countless trillions of data points relating to the idiosyncracies of human error, including memory tricks that convince us we have the right word, gleaned over years of countless billions of internet searches and other internet activities. It is possible that mutation of errors of the submitted plain text is non-random and instead guided by that prior knowledge of human quirks. Examples might be people who replace e with 3 but sometimes revert to e. I suppose the types of things we ourselves try when a password fails but with a larger set of trial combinations.

The key to my suggestion being mutating the plain text before hashing.