Forum: Ruby on Rails Decrypting password.

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Tushar G. (Guest)
on 2009-01-20 16:24
Hi,
I am using "Digest::SHA1.hexdigest" to encrypt password. Now, I want to
decrypt that password. Is it possible to decrypt the password and
recover original one?

Thank,
Tushar
Maurício L. (Guest)
on 2009-01-20 16:28
(Received via mailing list)
No, it's not.

You're using a hashing algorithm, if you want to get it back later
(which isn't a good idea, for passwords specially), you should check
for ruby cryptography libraries.

-
Maurício Linhares
http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/
(en)



On Tue, Jan 20, 2009 at 11:24 AM, Tushar G.
Frederick C. (Guest)
on 2009-01-20 16:29
(Received via mailing list)
On 20 Jan 2009, at 14:24, Tushar G. wrote:

>
> Hi,
> I am using "Digest::SHA1.hexdigest" to encrypt password. Now, I want
> to
> decrypt that password. Is it possible to decrypt the password and
> recover original one?
>
Nope. SHA1 is a digest function, not an encryption function and thus
inherently one-way only (at least that's what it's aiming for). If you
do find a way, a number of crypto researchers would be very interested
to find out how
Fred
Robert W. (Guest)
on 2009-01-20 18:05
Frederick C. wrote:
> Nope. SHA1 is a digest function, not an encryption function and thus
> inherently one-way only (at least that's what it's aiming for). If you
> do find a way, a number of crypto researchers would be very interested
> to find out how
> Fred
I heard recently that MD5 has started to show some weakness, which
actually has allowed an old root certificate to be forged. As I heard it
they used a cluster of 200 PlayStation 3 systems, which took about two
weeks to find a usable collision on a MD5 hash allowing them to produce
the forged SSL certificate.

It's really bad when a cryptographic hash can be reversed. However, it
is my understanding that there are no known weaknesses in the SHA hash
algorithms so SHA1 signed certificates are still perfectly safe (for
now).
Aaron T. (Guest)
on 2009-01-20 19:31
(Received via mailing list)
On Tue, Jan 20, 2009 at 8:05 AM, Robert W.
<removed_email_address@domain.invalid> wrote:
> weeks to find a usable collision on a MD5 hash allowing them to produce
> the forged SSL certificate.
>
> It's really bad when a cryptographic hash can be reversed. However, it
> is my understanding that there are no known weaknesses in the SHA hash
> algorithms so SHA1 signed certificates are still perfectly safe (for
> now).

Actually, SHA1 is beginning to show serious weaknesses as well:
http://www.schneier.com/blog/archives/2005/02/cryp...

Not as bad as MD5, but it's time to start moving away from SHA1 to
something stronger like SHA-256 or SHA-512 if you really care about
security.

Anyways, that said, in regards to the OP:

No you can't reverse a hash (finding a collision as in the case of SSL
certificates is a different but related problem), but for passwords,
usually what you want to do is compare the hashed values.  Ie: if the
stored hash value in your database matches the hashed user password,
then authentication success.  If however you're trying to do password
recovery, then you'll need to come up with another solution (reseting
the user password to a random value and emailing it to them for
example)

--
Aaron T.
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.  -- Benjamin Franklin
wesselej (Guest)
on 2009-01-21 11:20
(Received via mailing list)
If what you're trying to do is verify a password entered into an
application, what you should do is hash the entered password using the
same SHA1 method. The resulting hash will be the same as the stored
hash if the passwords are the same.

--Erik
alexey.Creopolis (Guest)
on 2009-01-21 12:01
(Received via mailing list)
forget that.

On Jan 20, 4:24 pm, Tushar G. <removed_email_address@domain.invalid>
This topic is locked and can not be replied to.