Forum: Ruby on Rails can we decrypt the cipher encrypted using Digest::SHA1.hexdigest

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
5faa716c5099281dfc924c8ea362d90f?d=identicon&s=25 --- Z@m --- (Guest)
on 2009-04-21 14:35
(Received via mailing list)
what i have done is as follows
password = Digest::SHA1.hexdigest("#{salt}:#{password}")

pass1 = Digest::SHA1.hexdigest("#{salt}:asdfgh")
pass2 = Digest::SHA1.hexdigest("#{salt}:asdfgh")
pass3 = Digest::SHA1.hexdigest("#{salt}:qwerty")

puts pass1==pass2
puts pass1==pass3

This works fine
but i need to get the decrypted password

how can i get it
any help is highly appreciated

Thanks in advance

Krishnaprasad Varma
India
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-04-21 15:10
(Received via mailing list)
On 21 Apr 2009, at 13:34, --- Z@m --- wrote:

>
> This works fine
> but i need to get the decrypted password
>
> how can i get it

You can't[1]. Digests by design are one way only.

Fred

[1] Obviously you can try a brute force attack and cryptography
researchers have found various attacks, but that's probably not what
you meant
5faa716c5099281dfc924c8ea362d90f?d=identicon&s=25 Z@M (Guest)
on 2009-04-21 15:23
(Received via mailing list)
And using Digest::MD5 ?? can i encrypt
D188e591eac11021329b8821a5f954c7?d=identicon&s=25 Ar Chron (railsdog)
on 2009-04-21 15:42
Why do you need the plaintext?

Generally speaking, even an admin should not be able to get back your
plaintext. That role should be able to reset your account so that you
can once again set your password to something only you know.

To try and engineer something in that appears like security to a user
but isn't is deceptive at best.
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-04-21 16:02
(Received via mailing list)
On Apr 21, 2:22 pm, "Z@M" <krishnaprasadva...@gmail.com> wrote:
> And using Digest::MD5 ?? can i encrypt

Digests are all one way. pretty much the definition of a digest is
that it is not reversible.

Fred
5faa716c5099281dfc924c8ea362d90f?d=identicon&s=25 Z@M (Guest)
on 2009-04-21 16:55
(Received via mailing list)
Ok i think its time to reveal my need

i was doin a login system in rails
for the time being i didnt provide the password encryption and i
thought it was simple as
many reliable encryption algorithms are available every where

every thing worked perfectly untill i started encrypting the password
and save it in db

i am able to check weather the password enter is correct or not

almost all the browser provide the facility to remember username and
passwords
so i thought i would do it  myself and stored the password and
username in the cookie if
" remember me " option is ticked

it now fetches the password from the database and stores it in the
coockie
so when the user comes next time he is shown the password which is
encrypted and the login fails
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-04-21 17:36
(Received via mailing list)
On Apr 21, 3:54 pm, "Z@M" <krishnaprasadva...@gmail.com> wrote:

> almost all the browser provide the facility to remember username and
> passwords
> so i thought i would do it  myself and stored the password and
> username in the cookie if
> " remember me " option is ticked
>

Typically this is done by storing a token in a cookie - if your login
page receives a cookie with an appropriate token then you skip
straight to the user being logged in. This avoids needing to store the
password in an insecure place.

Fred
3b1756d05466b4a78afd9aea7bb845c2?d=identicon&s=25 Aaron Turner (Guest)
on 2009-04-21 20:31
(Received via mailing list)
On Tue, Apr 21, 2009 at 7:54 AM, Z@M <krishnaprasadvarma@gmail.com>
wrote:
>
> so when the user comes next time he is shown the password which is
> encrypted and the login fails

Apologies if this seems a bit harsh, but you're not the first person
to ask this list a question like this (and prolly not the last).

Security- especially cryptography is HARD.  You clearly have no idea
what you're doing when it comes to security/crypto.  Even if you
properly understood crypto fundamentals, you'd still probably use the
algorithms incorrectly which would open up huge holes- it happens all
the time.  Even the so-called "experts" can and do get it wrong
occasionally.

The solution is simple: stop trying to roll your own solution.  Use
SSL with something like restful_authentication and be done with it.

--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
Those who would give up essential Liberty, to purchase a little
temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
054ea2f04b5592b91f8223796cc53979?d=identicon&s=25 Brendon Whateley (brendon)
on 2009-04-21 22:17
(Received via mailing list)
Wow, that is about the worst possible solution to the "keeping the
user logged in" problem!

I assume you want them to be "just logged in" when they come back to
the site?  That is what the user wants.  You can use a cookie to
associate the user with being logged in, but why in the name of all
good things would you want to store the username/password in the
cookie?  You know that is plain text?  Your site, if it decides to let
a user in for some reason other than user name and password really
does not need to know anything about the password or user name.  The
session cookie is enough.

As others have said: you cannot "unhash" a cryptographic hash.  Nor
should you want to.  The idea is to verify that the user knows the
SECRET (password) without anybody else having access to the SECRET.
Storing it in the cookie is bad.

You are trying to solve a very simple problem in a very complicated
way!

Brendon.
6883e5ef03484d4fcef507d7b4f1d243?d=identicon&s=25 Matt Jones (Guest)
on 2009-04-22 03:26
(Received via mailing list)
He's still doing it better than the dev shop I once cleaned up after -
they appeared to think that base64 encoding was a form of
encryption...

Although, it did save me a lot of trouble when migrating users over to
the new system.

--Matt Jones
41cc2c53544016a86472343ab3fdc0ff?d=identicon&s=25 Simon Macneall (Guest)
on 2009-04-22 04:04
(Received via mailing list)
We've got the same thing where I am at the moment. The old .net app has
the passwords stored in plain text in the Db. I guess if you get as far
as being able to log onto the db, then you have already gotten full
access to the system, but still seems wrong.

Simon
054ea2f04b5592b91f8223796cc53979?d=identicon&s=25 Brendon Whateley (brendon)
on 2009-04-23 01:50
(Received via mailing list)
The risk of to the users of access to plain text passwords is far
greater, since many (most) users use the same password for similar
types of sites.  (I say that hoping people use a different password
for online banking while they use another password for gmail, yahoo,
<your system>, NYT, etc.)

Next up, support having to ask customers for the password to access
the account!
This topic is locked and can not be replied to.