How do you de-hash a value?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mikeashfield
Forum Contributor
Posts: 159
Joined: Sat Oct 22, 2011 10:50 am

How do you de-hash a value?

Post by mikeashfield »

Okay, I've just leaned how to hash a password into the relevant record. It's now in the DB as "1dd6a67153d517ca26734b47fdcf02a28573f84f" but I have no idea how to view these passwords now, what's the best way?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: How do you de-hash a value?

Post by Celauran »

Not being able to see the passwords is the whole point of hashing. Hashing is a one-way function.
mikeashfield
Forum Contributor
Posts: 159
Joined: Sat Oct 22, 2011 10:50 am

Re: How do you de-hash a value?

Post by mikeashfield »

Isn't that a bit senseless? So does the hashed value always remain the same if the underlying value is the same? To replace it you just hash another value and inser it, right?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: How do you de-hash a value?

Post by Celauran »

The same input will always produce the same hashed output, yes. That's how you're able to authenticate users when their passwords are hashed; hash the password they enter in the login form and compare the hashes.

It's far from being senseless, though. If your database is somehow compromised and you stored your passwords as plain text, whomever gained access to your database now has a list of email addresses and their corresponding passwords. Given the number of people who use the same password for everything, this can be potentially disastrous for your users. Hashing helps protect against this. The better the hashing algorithm, the better protection it affords your users.
mikeashfield
Forum Contributor
Posts: 159
Joined: Sat Oct 22, 2011 10:50 am

Re: How do you de-hash a value?

Post by mikeashfield »

So does the hash generator work with some sort of key on the server machine so that only hases generated on that machine will match? Or is it some sort of standard algorithm? Surely if the hash generated is the same each time then there must be an easy way for hackers to deduce the underlying password?
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: How do you de-hash a value?

Post by twinedev »

Yes it is the same per method. (ie. php's md5() function will return the same hash that mySQL's MD5() function returns)

This is why 1. you should use something more than just md5(), and 2. prefer to use a salt/pepper with it:

SALT: this is a phrase that is the same for the same site/app
PEPPER: this is a phrase that is the same for the user that will never change (ie. timespamp they first signed up)

So then when you go to hash it (using md5 here for simplicity, but again, you should use something better) even if every user has the same password, it should be different hash. The following takes it a little further, and based upon if the record's PK is even or odd, changes the hash order.

Code: Select all

define ('HASH_SALT','This is a phase for the WHOLE site');

$strPassword = (The actual password you are needing to hash)

$intUserID = (FROM DB CALL ON USER, this is the primary key in the table)
$tsSignUp = (FROM DB CALL ON USER, this is the timestamp of when the record was created)

if ($intUserID % 2) {
    $strHash = md5($tsSignUp . $strPassword . HASH_SALT);
}
else {
    $strHash = md5(HASH_SALT . $strPassword . $tsSignUp);
}

Post Reply