mbrown Posted January 30, 2009 Share Posted January 30, 2009 is there any way as an admin of my own system that i can convert the sha1 hash to text again? I want to do this so when the admin updates some information on the account the user gets all of the information in an email related to the account info. Thanks Quote Link to comment Share on other sites More sharing options...
premiso Posted January 30, 2009 Share Posted January 30, 2009 I think...if I am not mistaken that SHA1 is a 1 way hash. So no, not unless you had it setup as an encryption with a key to decrypt it. Quote Link to comment Share on other sites More sharing options...
5kyy8lu3 Posted January 30, 2009 Share Posted January 30, 2009 you would have to do a reverse lookup, and that's still a long shot, there are tons of 'rainbow tables' for reverse lookup use for md5 so i'd imagine you might be able to find a few for sha1 too Quote Link to comment Share on other sites More sharing options...
mbrown Posted January 30, 2009 Author Share Posted January 30, 2009 i could go to a website that i know to reverse engineer them. but how do websites do them when you update their account info you can get all of ur account info in an email even if you did not change the pw? Quote Link to comment Share on other sites More sharing options...
rhodesa Posted January 30, 2009 Share Posted January 30, 2009 it means they are not storing it with a one way encryption method like sha1 ...if the data has been encrypted with sha1 you cannot turn it back to text (and shouldn't be able to) why do you need to send their password? frankly, i hate it when sites send me an email with my password in it. emails are not secure at all Quote Link to comment Share on other sites More sharing options...
premiso Posted January 30, 2009 Share Posted January 30, 2009 i could go to a website that i know to reverse engineer them. but how do websites do them when you update their account info you can get all of ur account info in an email even if you did not change the pw? They either encrypt it, or do not encrypt certain items like phone number etc. They most likely use an encryption for like password and such and have a key to decrypt it. As for me, that is a huge security concern on my part. If you can decrypt my password so can someone else. In a one-way hash I know my password is safer and no one who gets angry on your site will try and use that at other sites. Quote Link to comment Share on other sites More sharing options...
xangelo Posted January 30, 2009 Share Posted January 30, 2009 Normally what they do is run it through the one-way encryption and store the hashed value. Then if you ever enter a password again, it runs it through the encryption and checks it against the stored value. Quote Link to comment Share on other sites More sharing options...
mbrown Posted January 30, 2009 Author Share Posted January 30, 2009 all right. Quote Link to comment Share on other sites More sharing options...
revraz Posted January 30, 2009 Share Posted January 30, 2009 Everytime a site sends me my actual PW, I can't help but think they store them in plain text. Quote Link to comment Share on other sites More sharing options...
cwarn23 Posted February 3, 2009 Share Posted February 3, 2009 Normally what they do is run it through the one-way encryption and store the hashed value. Then if you ever enter a password again, it runs it through the encryption and checks it against the stored value. And I have created a script that just does that. If you have 2 Petabytes (or 2147483648 Megabytes which is 2048 Terabytes) then you should be able to dehash and hash contain data up to 30 or 40 digits. So first you will need to create a mysql database with a table called 'dehasher' (without the quotes) and inside that table you need 2 text columns name 'word' and 'hash' (without the quotes). After creating that mysql database, create a file named db.php and place in it the following contents: <? //db.php //configure below mysql variables $dbhost='localhost'; $accountname='root'; $password=''; $database='my database'; ?> And of course you will need to configure the above variables to your mysql database. Then below is index.php <? //index.php if (isset($_GET['hash'])) { set_time_limit(0); ini_set('memory_limit','512M'); ini_set('mysql.cache_size','1073741824'); include('db.php'); mysql_connect($dbhost,$accountname,$password) or die("Could not connect to MySQL server"); mysql_select_db($database) or die(mysql_error()."Could not select database"); $rowid=0; $sqlresult=mysql_query("SELECT * FROM `dehasher`"); while ($row = mysql_fetch_array($sqlresult)) { if ($_GET['hash']==$row['hash']) { $word=$row['word']; $dehashed=1; break; } } mysql_free_result($sqlresult); unset($row); } echo "Enter in the details below and click the dehash button to dehash the code.<br> <b>Please note it may take a few minutes to dehash due to the size of the database</b><br> <table border=1 cellpadding=5 cellspacing=0 bgcolor=#FFCCCC><tr><td> <form style='padding:0; margin:0;'> <table border=0 cellpadding=0 cellspacing=0 bgcolor=#FFCCCC><tr><td> Insert hash below</td><td>Hash type</td></tr><tr><td valign=top> <input type='text' name='hash' size=50> </td><td align=left><input type='submit' value='dehash'> </td></tr></table> </form></td></tr></table>"; if (!isset($dehashed)) { $dehashed=0; } if ($dehashed==1) { echo "<p>.<p><font size=3>The hash was decrypted successfully.<br>Below are the details:<br> <table border=1 cellpadding=0 cellspacing=0><tr><td> <table border=0 cellpadding=4 cellspacing=0><tr> <td bgcolor=#EEBBBB><font face='arial'><b>Word</b></font></td><td bgcolor=#FFCCCC>".$word."</td></tr><tr> <td bgcolor=#D8CCCC><font face='arial'><b>Hash</b></font></td><td bgcolor=#E9DDDD>".$_GET['hash']."</td></tr></table> </td></tr></table>"; } else if (isset($_GET['hash'])) { echo "<b>Your hash could not be decrypted.</b>"; } ?> Then create a file named generator.php with the following contents and this file will generate the database contents for the dehashing. <? //generator.php set_time_limit(0); ini_set('memory_limit','2147483648M'); ini_set('mysql.cache_size','1073741824'); include('db.php'); mysql_connect($dbhost,$accountname,$password) or die("Could not connect to MySQL server"); mysql_select_db($database) or die(mysql_error()."Could not select database"); $rownum=0; //echo - text debugger for IE. echo "<img src=0.gif width=1 height=1 alt=' ". " '><br>"; $list=" ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890`~!@#$%^&*()-_=+\|[{]};:\"',<.>/?abcdefghijklmnopqrstuvwxyz.,"; $loops=38430716820228233; $chars=30; $allwords=array(); $sqlresult=mysql_query("SELECT `word` FROM `dehasher`"); while ($row = mysql_fetch_array($sqlresult)) { $allwords[]=$row['word']; } mysql_free_result($sqlresult); unset($row); unset($sqlresult); while (count($allwords)<$loops) { $escapecharplus=0; $repeat=mt_rand(1,$chars); while ($escapecharplus<$repeat) { $randomword.=$list[mt_rand(1, strlen($list)-1)]; $escapecharplus+=1; } if (!in_array($randomword,$allwords)) { $allwords[]=$randomword; $rowid+=1; mysql_query("INSERT INTO `dehasher` SET `word`='".mysql_real_escape_string($randomword). "', `hash`='".mysql_real_escape_string(hash('sha1', $randomword))."'"); echo mysql_error(); $rownum+=1; echo "<xmp>".$randomword."\n</xmp>"; flush(); unset($randomword); if (mt_rand(1,32)==2) { mysql_query("DELETE FROM `dehasher` WHERE `word`=''; DELETE FROM `dehasher` WHERE `hash`=''"); } usleep(50000); } } ?> Now that is the script, next is the use the dehasher. If you intend to use the whole 2 Petabytes then setup a cron job to run generator.php or if you only want to use a portion of that space then just run the generator.php file in the browser and monitor the space used in phpmyadmin table structure tab. After you have generated the database then load index.php and enter a hash and it will dehash it. But for best results you will need to use the full 2 Petabytes. So it is possible to dehash sha1 and the only hash I have come accross that this method will not work on is whirlpool. That is why I recommend the following method of hashing: $text='this will be hashed'; $hash=hash('sha1',hash('whirlpool',$text)); Hope that script helps with your dehashing if you have 2 Petabytes of disk space. Quote Link to comment Share on other sites More sharing options...
ratcateme Posted February 3, 2009 Share Posted February 3, 2009 The whole point of sha-1 and md5 is that they cannot be reversed and so if some one gets access to your database they cannot get your users passwords The best way to send your users passwords is to make them tempory passwords that can be emailed to them and if someone else gets the email they cannot use the password to say the users other services that they have used the same password Also the best way to store passwords is with a salt so like md5("this is a long random saltjfhfheifbxudjfjdif" . $password); That way even if they get your hash a normal rainbow table wont work becaus they don't start with your salt and even if they found out your salt it would take a very long time to generate a new rainbow table to crack your passwords and would simple not be worth it Scott. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.