I have two SHA512 hashes with salt:
h1 = "412e00cc45afb8d2d5675bf5de0d1bb83eb85ab4af2c5560c8cc580feeb319565cde4e8d57ff847c0c6d9c6681d68d7850da594932d66fd65db133b19e5b31ec:9c0d2ff09e8c43babc49d42ad215e0fa"
h2 = "bc80293178d0aa302f5372a744a2acd3d4f7350b635bcdbded1f95fba187a4d04b429b30fb94daed2a94be3ec2c9ed5a110827f3a794b9f8c40fcdd41015e2c2:1a8de82d82134aecbab7f6d0c37c8444"
Is it possible to compare them, to derive if they are generated from the same password without having the password?
hashlib.sha512(h1.encode).digest() == hashlib.sha512(h2.encode).digest()
>Solution :
No.
You’ve got both hash and salt – your strings are of the form hash:salt – but even with that, you would still need to crack the password of at least 1 hash to determine if the hashes came from the same password with different salts. Preventing attackers from easily determining if two hashes came from the same password is one of the primary reasons salts exist.
(As an aside, SHA-512 is a terrible choice of password hash, as it is not designed for the job and is far too quick to evaluate. Just cracking the password may be pretty easy.)