Forum: Ruby Decode password

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
9d659a36c0ffc29defdeee9f3034b800?d=identicon&s=25 Mitesh Jain (Guest)
on 2007-04-27 10:51
Hi All,
i had encoded the password using,

Digest::SHA1.hexdigest("change-me--#{pass}--")

i got the password in the encoded form and i want to decode this string.

How can i do this?
59528506e6297141161afcde91d677c9?d=identicon&s=25 Nicolai Reuschling (codeblogger)
on 2007-04-27 10:58
(Received via mailing list)
Since SHA1 is just a hash digest there is no direct way to decode it.
Plain
and simple.

One way to find the original string is to generate all possible words
and
compare their SHA1 hashes with yours. Good luck with that...


Nicolai



2007/4/27, Mitesh Jain <mitijain123@gmail.com>:
6448b40e7037dd0fda767f2370c31809?d=identicon&s=25 unknown (Guest)
on 2007-04-27 11:12
(Received via mailing list)
Thats impossible, basically. A hash is a one-way function.
You could brute force it if you wanted, good luck waiting for
eternity...

Cheers
E34b5cae57e0dd170114dba444e37852?d=identicon&s=25 Logan Capaldo (Guest)
on 2007-04-27 14:02
(Received via mailing list)
On 4/27/07, Mitesh Jain <mitijain123@gmail.com> wrote:
> --
> Posted via http://www.ruby-forum.com/.
>
> _why_ do you want to decode it? If it's to make sure a password entered by
a user is correct, hash their entered password in the same way, and
compare
the hashes together. If its because you, or a user forgot their
password,
generate a new (usually random) known password, and use the hash of
that,
and then send the new password to the user.
084b13bebff6514ac50cd171c4e10e51?d=identicon&s=25 ChrisKaelin (Guest)
on 2007-04-27 20:01
(Received via mailing list)
On 27 Apr., 11:06, chris.hulb...@gmail.com wrote:
> Thats impossible, basically. A hash is a one-way function.
> You could brute force it if you wanted, good luck waiting for
> eternity...
>

What a luck for us unix-administrators ;-)

That's why unix-passwords are so safe since many years. Even if
someone else than root can read (/etc/shadow) you can only brute-force
that stuff and that can take some time, because even if the password
is very short, the hash always is at least 13 characters long...
15a5043475dac9278ae75efb4c71f1f6?d=identicon&s=25 Felix Windt (Guest)
on 2007-04-27 22:13
(Received via mailing list)
"man crypt" gives different, and better details on what hashes are used
in
/etc/shadow|/etc/passwd.
A hash simply is good because a malicious user has to brute force in the
first place, and is unable to read the password without having to do
further
work. It definitely doesn't take more time to brute force because the
hash
is longer, as for a brute force you're generating all possible passwords
and
then the hash value for them, comparing to the hash you're trying to
crack.
If you use the letter "a" as your password, the hash function you run on
it
can generate a hash that is 1,024 characters in length - if I brute
force
the 26 letters of the alphabet and compare the results to your password
hash, it'll still at most take me 26 tries to find out you used the
letter
"a". Just that a password is stored as a hash doesn't eliminate the need
for
a strong password.

It's also notable that both md5 and sha1, probably the most commonly
used
hashes - though some *nix still use DES for password encryption, which
is
/relatively/ insecure - have been found vulnerable to collision attacks.
You
may also want to read up on the birthday paradox and its relation to
attacks
on hash functions. In short, while it's very, very expensive and for the
home user entirely unfeasible to attack hashes, it's not as expensive as
having to literally try every possible combination.


That concludes my nitpicking for the day. I didn't mean to be mean.
37ee5fa90f5eaeef62553629382497f7?d=identicon&s=25 Leslie Viljoen (Guest)
on 2007-04-27 22:32
(Received via mailing list)
On 4/27/07, Mitesh Jain <mitijain123@gmail.com> wrote:
> Hi All,
> i had encoded the password using,
>
> Digest::SHA1.hexdigest("change-me--#{pass}--")
>
> i got the password in the encoded form and i want to decode this string.

Perhaps you are trying to do authentication like this? The usual
method is to encode the password on the other side in the same way and
compare the hashes. You send the hash over the wire so that anyone
capturing the hash cannot get the password.

You may want to google and read up on Challenge Response
authentication, there are many great articles.
This topic is locked and can not be replied to.