Hello. Does anyone know how to decrypt a salted-hashed password?
The usage:
I am working on an application to store client login information. Obviously I need to store the password securly using the salted method, but when I go to edit the password or view it; it shows the ecncrypted password rather than what it actually is. How can I get the password to show?
Thanks in advance for any help!
Patrick Elder wrote:
Hello. Does anyone know how to decrypt a salted-hashed password?
The usage:
I am working on an application to store client login information. Obviously I need to store the password securly using the salted method, but when I go to edit the password or view it; it shows the ecncrypted password rather than what it actually is. How can I get the password to show?
Thanks in advance for any help!
You don't decrypt it. A hash (in this context, anyway) is 1 way. The point of it is to NOT ever store the original, you only check that the hashed value of what the user typed is the same as the hashed value you stored.
From a user perspective, if you need to have users change their passwords, you can just have them type in their old password and the new one (along with a confirmation). They don’t really need to see their password.
For users who forget their password, you can have the system assign a new one at random, e-mail it to them (before hashing it and storing it to the database), and ask them to change it once they login.
The point of encryption is that it’s not feasible to decrypt, so you have to work around your inability to see it.
Hello. Does anyone know how to decrypt a salted-hashed password?
The usage:
I am working on an application to store client login information. Obviously I need to store the password securly using the salted
method, but when I go to edit the password or view it; it shows the ecncrypted password rather than what it actually is. How can I get the password to show?
Hey Patrick,
The entire point of them is that you *can't* decrypt them [1] .
That's why it's secure storage. What was the last application you
used which let you *view* a password in cleartext?
Ben
[1] Well, not without a LOT of time and computers.
Hi Patrick
if the requirement is to be able to reverse the passwords, you can implement a reversible encryption instead of using hashing.
have a look over there http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated (currently down as it seems). If my memory serves me well, there are bits of code illustrating how to achieve this.
keep in mind that if the passwords are reversible, then someone with sufficient access rights (eg an admin, or an nasty intruder) is able to, well, reverse them.
I use hashing when possible instead.
cheers
Thibaut
Thanks for your help everyone. You've all helped me understand encryption a little better, which sorta clears up my approach with this application. It's not that I am allowing people to change their passwords. The application's objective is to store client information (i.e. ftp info, control panel...) and retrieve it as necessary in the application. I suppose Acts as Authenticated is the aproach I need to take.
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks