Decrypting salted passwords

Hello. Does anyone know how to decrypt a salted-hashed password?

The usage:

I am working on an application to store client login information.
Obviously I need to store the password securly using the salted method,
but when I go to edit the password or view it; it shows the ecncrypted
password rather than what it actually is. How can I get the password
to show?

Thanks in advance for any help!

From a user perspective, if you need to have users change their
passwords,
you can just have them type in their old password and the new one (along
with a confirmation). They don’t really need to see their password.

For users who forget their password, you can have the system assign a
new
one at random, e-mail it to them (before hashing it and storing it to
the
database), and ask them to change it once they login.

The point of encryption is that it’s not feasible to decrypt, so you
have to
work around your inability to see it.

On 5 Sep 2006, at 06:47, Patrick Elder wrote:

to show?
Hey Patrick,

The entire point of them is that you can’t decrypt them [1] .
That’s why it’s secure storage. What was the last application you
used which let you view a password in cleartext?

Ben

[1] Well, not without a LOT of time and computers.

Thanks in advance for any help!


Ben B. - Director
Airsource Ltd
Tel: 01223 708370 / 07786 916043

Hi Patrick

if the requirement is to be able to reverse the passwords, you can
implement
a reversible encryption instead of using hashing.

have a look over there
http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated(currently
down as it seems). If my memory serves me well, there are bits of
code illustrating how to achieve this.

keep in mind that if the passwords are reversible, then someone with
sufficient access rights (eg an admin, or an nasty intruder) is able to,
well, reverse them.

I use hashing when possible instead.

cheers

Thibaut

[blog] http://www.dotnetguru2.org/tbarrere

Thanks for your help everyone. You’ve all helped me understand
encryption a little better, which sorta clears up my approach with this
application. It’s not that I am allowing people to change their
passwords. The application’s objective is to store client information
(i.e. ftp info, control panel…) and retrieve it as necessary in the
application. I suppose Acts as Authenticated is the aproach I need to
take.

Patrick Elder wrote:

Thanks in advance for any help!
You don’t decrypt it. A hash (in this context, anyway) is 1 way. The
point of it is to NOT ever store the original, you only check that the
hashed value of what the user typed is the same as the hashed value you
stored.