Hello. Does anyone know how to decrypt a salted-hashed password? The usage: I am working on an application to store client login information. Obviously I need to store the password securly using the salted method, but when I go to edit the password or view it; it shows the ecncrypted password rather than what it actually is. How can I get the password to show? Thanks in advance for any help! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2006-Sep-05 05:53 UTC
Re: decrypting salted passwords
Patrick Elder wrote:> Hello. Does anyone know how to decrypt a salted-hashed password? > > The usage: > > I am working on an application to store client login information. > Obviously I need to store the password securly using the salted method, > but when I go to edit the password or view it; it shows the ecncrypted > password rather than what it actually is. How can I get the password > to show? > > Thanks in advance for any help!You don''t decrypt it. A hash (in this context, anyway) is 1 way. The point of it is to NOT ever store the original, you only check that the hashed value of what the user typed is the same as the hashed value you stored. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
From a user perspective, if you need to have users change their passwords, you can just have them type in their old password and the new one (along with a confirmation). They don''t really need to see their password. For users who forget their password, you can have the system assign a new one at random, e-mail it to them (before hashing it and storing it to the database), and ask them to change it once they login. The point of encryption is that it''s not feasible to decrypt, so you have to work around your inability to see it. On 9/5/06, michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <michael.campbell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > > Patrick Elder wrote: > > Hello. Does anyone know how to decrypt a salted-hashed password? > > > > The usage: > > > > I am working on an application to store client login information. > > Obviously I need to store the password securly using the salted method, > > but when I go to edit the password or view it; it shows the ecncrypted > > password rather than what it actually is. How can I get the password > > to show? > > > > Thanks in advance for any help! > > You don''t decrypt it. A hash (in this context, anyway) is 1 way. The > point of it is to NOT ever store the original, you only check that the > hashed value of what the user typed is the same as the hashed value you > stored. > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 5 Sep 2006, at 06:47, Patrick Elder wrote:> > Hello. Does anyone know how to decrypt a salted-hashed password? > > The usage: > > I am working on an application to store client login information. > Obviously I need to store the password securly using the salted > method, > but when I go to edit the password or view it; it shows the ecncrypted > password rather than what it actually is. How can I get the password > to show?Hey Patrick, The entire point of them is that you *can''t* decrypt them [1] . That''s why it''s secure storage. What was the last application you used which let you *view* a password in cleartext? Ben [1] Well, not without a LOT of time and computers.> > Thanks in advance for any help! > > > >-- Ben Blaukopf - Director Airsource Ltd Tel: 01223 708370 / 07786 916043 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Hi Patrick if the requirement is to be able to reverse the passwords, you can implement a reversible encryption instead of using hashing. have a look over there http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated(currently down as it seems). If my memory serves me well, there are bits of code illustrating how to achieve this. keep in mind that if the passwords are reversible, then someone with sufficient access rights (eg an admin, or an nasty intruder) is able to, well, reverse them. I use hashing when possible instead. cheers Thibaut -- [blog] http://www.dotnetguru2.org/tbarrere --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Thanks for your help everyone. You''ve all helped me understand encryption a little better, which sorta clears up my approach with this application. It''s not that I am allowing people to change their passwords. The application''s objective is to store client information (i.e. ftp info, control panel...) and retrieve it as necessary in the application. I suppose Acts as Authenticated is the aproach I need to take. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---