decrypting salted passwords

Hello. Does anyone know how to decrypt a salted-hashed password?

The usage:

I am working on an application to store client login information.
Obviously I need to store the password securly using the salted method,
but when I go to edit the password or view it; it shows the ecncrypted
password rather than what it actually is. How can I get the password
to show?

Thanks in advance for any help!

Patrick Elder wrote:

Hello. Does anyone know how to decrypt a salted-hashed password?

The usage:

I am working on an application to store client login information.
Obviously I need to store the password securly using the salted method,
but when I go to edit the password or view it; it shows the ecncrypted
password rather than what it actually is. How can I get the password
to show?

Thanks in advance for any help!

You don't decrypt it. A hash (in this context, anyway) is 1 way. The
point of it is to NOT ever store the original, you only check that the
hashed value of what the user typed is the same as the hashed value you
stored.

From a user perspective, if you need to have users change their passwords, you can just have them type in their old password and the new one (along with a confirmation). They don’t really need to see their password.

For users who forget their password, you can have the system assign a new one at random, e-mail it to them (before hashing it and storing it to the database), and ask them to change it once they login.

The point of encryption is that it’s not feasible to decrypt, so you have to work around your inability to see it.

Hello. Does anyone know how to decrypt a salted-hashed password?

The usage:

I am working on an application to store client login information.
Obviously I need to store the password securly using the salted
method,
but when I go to edit the password or view it; it shows the ecncrypted
password rather than what it actually is. How can I get the password
to show?

Hey Patrick,

The entire point of them is that you *can't* decrypt them [1] .
That's why it's secure storage. What was the last application you
used which let you *view* a password in cleartext?

Ben

[1] Well, not without a LOT of time and computers.

Hi Patrick

if the requirement is to be able to reverse the passwords, you can implement a reversible encryption instead of using hashing.

have a look over there
http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated
(currently down as it seems). If my memory serves me well, there are bits of code illustrating how to achieve this.

keep in mind that if the passwords are reversible, then someone with sufficient access rights (eg an admin, or an nasty intruder) is able to, well, reverse them.

I use hashing when possible instead.

cheers

Thibaut

Thanks for your help everyone. You've all helped me understand
encryption a little better, which sorta clears up my approach with this
application. It's not that I am allowing people to change their
passwords. The application's objective is to store client information
(i.e. ftp info, control panel...) and retrieve it as necessary in the
application. I suppose Acts as Authenticated is the aproach I need to
take.