Decode password


#1

Hi All,
i had encoded the password using,

Digest::SHA1.hexdigest(“change-me–#{pass}–”)

i got the password in the encoded form and i want to decode this string.

How can i do this?


#2

Since SHA1 is just a hash digest there is no direct way to decode it.
Plain
and simple.

One way to find the original string is to generate all possible words
and
compare their SHA1 hashes with yours. Good luck with that…

Nicolai

2007/4/27, Mitesh J. removed_email_address@domain.invalid:


#3

On 4/27/07, Mitesh J. removed_email_address@domain.invalid wrote:


Posted via http://www.ruby-forum.com/.

why do you want to decode it? If it’s to make sure a password entered by
a user is correct, hash their entered password in the same way, and
compare
the hashes together. If its because you, or a user forgot their
password,
generate a new (usually random) known password, and use the hash of
that,
and then send the new password to the user.


#4

Thats impossible, basically. A hash is a one-way function.
You could brute force it if you wanted, good luck waiting for
eternity…

Cheers


#5

On 27 Apr., 11:06, removed_email_address@domain.invalid wrote:

Thats impossible, basically. A hash is a one-way function.
You could brute force it if you wanted, good luck waiting for
eternity…

What a luck for us unix-administrators :wink:

That’s why unix-passwords are so safe since many years. Even if
someone else than root can read (/etc/shadow) you can only brute-force
that stuff and that can take some time, because even if the password
is very short, the hash always is at least 13 characters long…


#6

“man crypt” gives different, and better details on what hashes are used
in
/etc/shadow|/etc/passwd.
A hash simply is good because a malicious user has to brute force in the
first place, and is unable to read the password without having to do
further
work. It definitely doesn’t take more time to brute force because the
hash
is longer, as for a brute force you’re generating all possible passwords
and
then the hash value for them, comparing to the hash you’re trying to
crack.
If you use the letter “a” as your password, the hash function you run on
it
can generate a hash that is 1,024 characters in length - if I brute
force
the 26 letters of the alphabet and compare the results to your password
hash, it’ll still at most take me 26 tries to find out you used the
letter
“a”. Just that a password is stored as a hash doesn’t eliminate the need
for
a strong password.

It’s also notable that both md5 and sha1, probably the most commonly
used
hashes - though some *nix still use DES for password encryption, which
is
/relatively/ insecure - have been found vulnerable to collision attacks.
You
may also want to read up on the birthday paradox and its relation to
attacks
on hash functions. In short, while it’s very, very expensive and for the
home user entirely unfeasible to attack hashes, it’s not as expensive as
having to literally try every possible combination.

That concludes my nitpicking for the day. I didn’t mean to be mean.


#7

On 4/27/07, Mitesh J. removed_email_address@domain.invalid wrote:

Hi All,
i had encoded the password using,

Digest::SHA1.hexdigest(“change-me–#{pass}–”)

i got the password in the encoded form and i want to decode this string.

Perhaps you are trying to do authentication like this? The usual
method is to encode the password on the other side in the same way and
compare the hashes. You send the hash over the wire so that anyone
capturing the hash cannot get the password.

You may want to google and read up on Challenge Response
authentication, there are many great articles.