Page 1 of 1
How do you de-hash a value?
Posted: Sun Oct 30, 2011 8:25 am
by mikeashfield
Okay, I've just leaned how to hash a password into the relevant record. It's now in the DB as "1dd6a67153d517ca26734b47fdcf02a28573f84f" but I have no idea how to view these passwords now, what's the best way?
Re: How do you de-hash a value?
Posted: Sun Oct 30, 2011 9:11 am
by Celauran
Not being able to see the passwords is the whole point of hashing. Hashing is a one-way function.
Re: How do you de-hash a value?
Posted: Sun Oct 30, 2011 9:48 am
by mikeashfield
Isn't that a bit senseless? So does the hashed value always remain the same if the underlying value is the same? To replace it you just hash another value and inser it, right?
Re: How do you de-hash a value?
Posted: Sun Oct 30, 2011 9:53 am
by Celauran
The same input will always produce the same hashed output, yes. That's how you're able to authenticate users when their passwords are hashed; hash the password they enter in the login form and compare the hashes.
It's far from being senseless, though. If your database is somehow compromised and you stored your passwords as plain text, whomever gained access to your database now has a list of email addresses and their corresponding passwords. Given the number of people who use the same password for everything, this can be potentially disastrous for your users. Hashing helps protect against this. The better the hashing algorithm, the better protection it affords your users.
Re: How do you de-hash a value?
Posted: Sun Oct 30, 2011 11:30 am
by mikeashfield
So does the hash generator work with some sort of key on the server machine so that only hases generated on that machine will match? Or is it some sort of standard algorithm? Surely if the hash generated is the same each time then there must be an easy way for hackers to deduce the underlying password?
Re: How do you de-hash a value?
Posted: Sun Oct 30, 2011 1:56 pm
by twinedev
Yes it is the same per method. (ie. php's md5() function will return the same hash that mySQL's MD5() function returns)
This is why 1. you should use something more than just md5(), and 2. prefer to use a salt/pepper with it:
SALT: this is a phrase that is the same for the same site/app
PEPPER: this is a phrase that is the same for the user that will never change (ie. timespamp they first signed up)
So then when you go to hash it (using md5 here for simplicity, but again, you should use something better) even if every user has the same password, it should be different hash. The following takes it a little further, and based upon if the record's PK is even or odd, changes the hash order.
Code: Select all
define ('HASH_SALT','This is a phase for the WHOLE site');
$strPassword = (The actual password you are needing to hash)
$intUserID = (FROM DB CALL ON USER, this is the primary key in the table)
$tsSignUp = (FROM DB CALL ON USER, this is the timestamp of when the record was created)
if ($intUserID % 2) {
$strHash = md5($tsSignUp . $strPassword . HASH_SALT);
}
else {
$strHash = md5(HASH_SALT . $strPassword . $tsSignUp);
}