Decrypting password


#1

Hi,
I am using “Digest::SHA1.hexdigest” to encrypt password. Now, I want to
decrypt that password. Is it possible to decrypt the password and
recover original one?

Thank,
Tushar


#2

No, it’s not.

You’re using a hashing algorithm, if you want to get it back later
(which isn’t a good idea, for passwords specially), you should check
for ruby cryptography libraries.

Maurício Linhares
http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/
(en)

On Tue, Jan 20, 2009 at 11:24 AM, Tushar G.


#3

On 20 Jan 2009, at 14:24, Tushar G. wrote:

Hi,
I am using “Digest::SHA1.hexdigest” to encrypt password. Now, I want
to
decrypt that password. Is it possible to decrypt the password and
recover original one?

Nope. SHA1 is a digest function, not an encryption function and thus
inherently one-way only (at least that’s what it’s aiming for). If you
do find a way, a number of crypto researchers would be very interested
to find out how
Fred


#4

Frederick C. wrote:

Nope. SHA1 is a digest function, not an encryption function and thus
inherently one-way only (at least that’s what it’s aiming for). If you
do find a way, a number of crypto researchers would be very interested
to find out how
Fred
I heard recently that MD5 has started to show some weakness, which
actually has allowed an old root certificate to be forged. As I heard it
they used a cluster of 200 PlayStation 3 systems, which took about two
weeks to find a usable collision on a MD5 hash allowing them to produce
the forged SSL certificate.

It’s really bad when a cryptographic hash can be reversed. However, it
is my understanding that there are no known weaknesses in the SHA hash
algorithms so SHA1 signed certificates are still perfectly safe (for
now).


#5

On Tue, Jan 20, 2009 at 8:05 AM, Robert W.
removed_email_address@domain.invalid wrote:

weeks to find a usable collision on a MD5 hash allowing them to produce
the forged SSL certificate.

It’s really bad when a cryptographic hash can be reversed. However, it
is my understanding that there are no known weaknesses in the SHA hash
algorithms so SHA1 signed certificates are still perfectly safe (for
now).

Actually, SHA1 is beginning to show serious weaknesses as well:
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

Not as bad as MD5, but it’s time to start moving away from SHA1 to
something stronger like SHA-256 or SHA-512 if you really care about
security.

Anyways, that said, in regards to the OP:

No you can’t reverse a hash (finding a collision as in the case of SSL
certificates is a different but related problem), but for passwords,
usually what you want to do is compare the hashed values. Ie: if the
stored hash value in your database matches the hashed user password,
then authentication success. If however you’re trying to do password
recovery, then you’ll need to come up with another solution (reseting
the user password to a random value and emailing it to them for
example)


Aaron T.
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. – Benjamin Franklin


#6

If what you’re trying to do is verify a password entered into an
application, what you should do is hash the entered password using the
same SHA1 method. The resulting hash will be the same as the stored
hash if the passwords are the same.

–Erik


#7

forget that.

On Jan 20, 4:24 pm, Tushar G. removed_email_address@domain.invalid