views:

933

answers:

8

I am storing all my passwords in the form hashed. I need to retrieve these passwords Eg

My password is "123456" I save this as hashed "3453474852dfdsfdsfdf" value.

I need to retrieve the original password from the hashed value. (Get Password).

How can I do that?. I am doing SHA1 hashing algorithm.

+14  A: 

This is not possible. SHA1 is, very carefully and deliberately, a one-way function.

Why are you trying to recover the original password? It is not needed for authentication, because you simply hash the input password and compare the hash values.

If it is because the user forgot their password, then standard practice appears to be generating a randomized reset link and emailing it to the user.

jleedev
+3  A: 

You can't. The point of a hash function (as opposed to encryption) is that it's a one-way process. In other words, there can be multiple passwords which hash to the same value, and there's no way of going from the hash to the original password.

This is useful as you don't need any sort of "master password" or other secret which is required for two-way encryption - but it does mean you will never be able to get back the original password from the hashed value. If you really need the password, you'll have to use encryption/decryption instead of hashing.

Jon Skeet
+3  A: 

You can't do that, that's the point of hash function. In fact, several password can give you the same hash, so even if you find a string that give you this hash it may not be the correct one.
If you need to find the password back, don't use hash use something like RSA.

Some links for you to read:

Nico
+1  A: 

If you're not using a salt then you could break the passwords using a dictionary attack.

EDIT: I realise his original question is how to retrieve a password he stored, but it amuses me to provide a solution to the more generic question implied by the question title.

Rick
+2  A: 

You can't, that's what hashes are for. Because of that, many sites have an option to reset the password (i.e. putting into the db the hash of the new password you provided). You usually don't find the option to retrieve the current password (i.e. having it sent to you by mail).

If a website does offer this functionality, it means that they are not storing password hashes, but either plaintext or encrypted passwords. Since storing a hash is the best practice, you should steer clear from sited that offer password retrieval.

And you should steer clear from developping such a site yourself ;-)

Treb
A: 

Theoretically you can't as the other comments have mentioned.

What I think Rick was trying to say if that if an attacker knew you were using the SHA1 algorithm for hashing and the salt you were using, they could make a mapping of hashes to passwords to attempt to retrieve passwords.

But to answer your question: no, you can't do this easily.

Ryan Guest
Not if the hash is 'salted'. This makes brute force dictionary attacks very hard (assuming attacker does not know the salt).
Mitch Wheat
You're 100% correct Mitch. My answer is based on the attacker having knowledge of the salt and hashing algorithm.
Ryan Guest
Ryan was referring to my post, where I pointed out jsut that: he should have salted his passwords before hashing.http://stackoverflow.com/questions/277210/i-need-to-get-the-password-which-is-hashed-in-aspnet#277241
Rick
+3  A: 

Two interesting articles on the topic: You're Probably Storing Passwords Incorrectly and Rainbow Hash Cracking...

So it depends on what you plan to do (a password storage safe or storing password for users on a site, etc.). For the former usage, you can take a look at how KeePass works (it is open source).

PhiLho
A: 

Not meaning to be rude here, but did you really understand why you were hashing the passwords in the first place?

korona