tags:

views:

200

answers:

3

I am currently encoding a password. I have to decode the password. Here is the code to encode. I am trying to get the original password compare it. I have researched about MessageDigest that says it is a one-way method. Not sure how to get the original message. We have a decode method but it isn't giving me the original password - Base64.decode.

 public static synchronized String getMD5_Base64(String input) {
        if (!isInited) {
            isInited = true;
            try {
                digest = MessageDigest.getInstance("MD5");
            } catch (Exception ex) {
            }
        }
        if (digest == null)
            return input;

        // now everything is ok, go ahead
        try {
            digest.update(input.getBytes("UTF-8"));
        } catch (java.io.UnsupportedEncodingException ex) {
        }
        byte[] rawData = digest.digest();
        byte[] encoded = Base64.encode(rawData);
        String retValue = new String(encoded);
        return retValue;
    }
}
+3  A: 

You cannot get the original password. Keep in mind that the digest and Base64 encoding do two completely different things. The MD5 digest creates a cryptographic hash of the data supplied to it. This is irreversible. Base64 is an encoding mechanism to convert data (which might contain unprintable binary data) into a string that is guaranteed to contain only printable characters. This step is reversible.

The standard way of checking a password is not to decode the original password and compare the plain text. What you need to do is take the encoding (MD5 hash then Base64 encode) you did on the original password and apply it to the newly supplied password. Then compare the stored encoded version with the newly encoded version. If they're the same then the passwords matched.

This design is a more secure mechanism than storing passwords that could be decoded. This way, if someone steals your password database they don't automatically have access to all the passwords of your users. In order to break into the system they'd still have to find a password that encoded to the same value. The point of cryptographic hashes like MD5 is to make that very difficult. On the other hand, MD5 is not considered a very secure hash anymore. You'd be better off using SHA1 or SHA256 (but remember, you can't change the existing stored passwords from their MD5 hash to another hash without the original password, which you don't have, i.e. you can't just convert your database of stored passwords).

Jherico
Hi Jherico. The problem is I am trying to compare that there are not 4 consecutive characters from the previous passwords in the current password so trying to get the pattern of the MD5 Base64 is coming out incorrectly. So I was trying to get back to the origianl passwords to compare.
Perry
I'm wondering if I should just decode previous pwds, create MD5 with new password and just compare what the MD5's created? Just not really sure how I should do this. :)
Perry
Its impossible. The point of a cryptographic hash is that every output bit is potentially influenced by every input bit. There's no way to do the kind of comparison you suggest with the data you have.
Jherico
+1  A: 

The MD5 hash algorithm is, like all hash algorithms, one-way. The only way to recover the original password is to try every possibility until you get the one whose MD5 hash matches what you received.

Borealid
This will not (necessarily) actually find the original password. Rather you will have found a hash collision. Granted, since the hash is 128 bits and the size of the domain of commonly used passwords probably comes nowhere near that the likely hood is that you will have found the actual password
Jherico
+1  A: 

If you're trying to compare the contents of the new password with the older passwords you can't use an MD5 hash. As Jherico noted, MD5 (and all hashes) are one-way meaning that you can't get the original text.

In order to do the compare you will have to keep the original value of the password around somewhere. The best way is probably to encrypt (and base64 the result) before storing it to the database. Then in order to do the compare, you decrypt each of the values and do the work that you want

One important note is that storing the user's passwords in any form that can be reversed is can be dangerous if not done properly.

jmo