sha1 to text

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kumanan.c
Forum Newbie
Posts: 4
Joined: Mon Aug 09, 2010 1:53 am

sha1 to text

Post by kumanan.c »

Hi,
i used sha1 encryption algorithm to compressing my password and store this values to database, if the user forgot his password, then i need to send him back the original password, not a compressed password, how can i convert sha1 type values to text like

(e.x)
input password="123456"
sha1 compression="7c4a8d09ca3762af61e59520943dc26494f8941b"
i want my original values back like ="123456"

thanks in adv.
kumanan.c
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: sha1 to text

Post by Mordred »

In general, you can't. That's one of the requirements of cryptographic hash functions like sha-1.

For implementing "forgot password" recovery, instead of sending back his old password, generate a new one and send it instead.
kumanan.c
Forum Newbie
Posts: 4
Joined: Mon Aug 09, 2010 1:53 am

sha1 to text

Post by kumanan.c »

Oh,
thanks my friend for u r kind replay, if they are ask forgotten their password i will just reset and generate random password and give it to him, correct!

thanks

kumanan.c
Gargoyle
Forum Contributor
Posts: 130
Joined: Wed Jul 14, 2010 12:25 am

Re: sha1 to text

Post by Gargoyle »

just to expand, you're confusing encrypting and hashing.

craig has another great blog post about that:
http://www.thelampblog.com/2010/07/31/p ... s-hashing/
Sephern
Forum Commoner
Posts: 73
Joined: Sun Jan 04, 2009 4:44 pm

Re: sha1 to text

Post by Sephern »

Alternatively, instead of sending them their new password in an email, generate an alphanumeric, multi-character ID and store it in the database, then email them a url containing the ID. Compare the URL to the database ID, to verify that it's a correct ID. Then compare the date/time the user visits the url compared to when the email was generated. If its within a reasonable amount of time give them a form to reset the password. Otherwise, show an error and generate a new id to send to them.

When done, delete the ID from your database.
Post Reply