If the password owner doesn't work for your company then you may be running afoul of the law if you continue down this path. Be very careful to ensure that you know if you are violating the law and make an appropriate decision for whether or not to do so. I do not advocate breaking the law, and provide the publicly available information, below, for your general educational purposes. Not wanting to change the password but wanting to learn it is generally very suspicious.
If you have business accessing the data that the password protects, then you probably have access to change the password, or you probably already know the password. Wanting to keep the password unchanged, but learn what it is and gain access to the underlying assets begs the question: why leave it unchanged? One obvious answer is to prevent the rightful owner from knowing that you have access. Another obvious answer is because you forgot the password and are trying to regain access to your own data - though it is very unusual to have access to the hash but not the ability to just change the password if one is truly the rightful owner. As commenters have mentioned, you cannot decrypt a hash.
Hashing and encyrption/decryption are two separate operations. Encryption and decryption are opposites, while hashing has no opposite function. For simplicity's sake, consider encryption to be like adding 1 to each character, so 'a' in the original text becomes 'b', 'b' in the original text becomes 'c', and so on. Decryption would be subtracting 1 from the number, so 'b' in the cipher text becomes 'a'. In reality, much harder math problems are used, but this is the general idea.
Hashing doesn't have an inverse. Consider hashing like finding the mod 2 result. For example, 'a' could be represented as the value '97', and 97 mod 2 = 1. 'b' could be represented as the value '98' and 98 mod 2 = 0. Shown as a table below. Letter numeric mod 2 representation (the 'hash') a 97 1 b 98 0 c 99 1 d 100 0 e 101 1 As you can see from the table, there's no way to get back to the original letter knowing only the hash value. In reality, hashes are much more complex, based on much harder math, and often are designed to prevent collisions - avoiding the scenario in my description where mod2 every 'odd' letter results in a '1' and every 'even' letter results in a '0'.
Nonetheless, it should be clear that you cannot reverse a hash like you can reverse (decrypt) encryption. That said, there sometimes ways to find out the password. You might 'brute force' every possible input until you get the expected result.
That is, try your salt with the password 'a', 'aa', 'aaa', 'aaa'., 'b', 'bb'., 'ab'. With a good hash algorithm, this is the fastest way to figure out a particular hash. However, with a good hash algorithm and a sufficiently long password, you won't be able to learn the password this way before the sun dies out.
Sometimes hash algorithms will have weaknesses. Sometimes, there will be a method that is faster than brute forcing.
Encrypt And Decrypt Password
You'd need to look up the particular algorithm in use and learn its weaknesses, but even then this doesn't mean it will be possible to break in reasonable time. I'll leave this as an exercise for the reader, and will not be responding to any requests for pointers:) Finally, often easier than attempting to reverse a hash is to learn the password another way.
Realistically, this is exactly what a strong hash algorithm is intended to force you to do - it's supposed to be so hard to learn the original password that you have to resort to another technique. For example, if the person who uses the password works for your company, the CEO can ask them for their password. More often, the real goal is to gain control over a valid account, so you can just change the current password. That's about as much of an answer as I can really give, given the vagueness of your question. If you are interested in more, talk to your lawyer and start reading Wikipedia articles. They do a very good job of explaining encryption and hashing and related algorithms.
The theory goes that the password encryption is a one-way process. By this I mean that it is not computationally feasible to decrypt it. The way that this works is that when a user enters a password, it is encrypted and compared with the encrypted version in the file. The user is only allowed in if the two encrypted versions match. There is no way to recover a lost password, the only option is to issue a new temporary password to the user, the encrypted version of the new password replaces the old. The user should then change his/her own password so that only they know it.
Decrypt Password Online
Only a brute force method can be used to find out the contents of a password file, for example by encrypting a dictionary file and comparing the encrypted version against each password. This will only work if the user has used a dictionary word as a password, hence the recommendation to use both characters and numbers in a password. Such programs however run for days and days and cannot be guaranteed to decrypt all carefully chosen passwords. Besides, this is not what you want to do is it?;-).
I have written an entire register/login script for my site in php. I just recently switched hosts to a company called DailyRazor.com. They have Cpanel 10. I am trying to password protect a directory, but I want the users to have to register on my site before they can access it.
Crack in finished drywall above door frame. I would like to use CPanel's built in directory protection, but I am having a problem regarding the passwords. I know how I can write the information to the htpasswd file, but I don't know how to encrypt the passwords when I write them to the file.
I guess what i'm asking for is what type of encryption is used on passwords when the htpasswd files are written. A code example as well as an explanation would be great, because I do not know exactly what 'salt' is, except that it pertains to encryption. Any help would be greatly appreciated.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |