Jump to content

Recommended Posts

it means they are not storing it with a one way encryption method like sha1

 

...if the data has been encrypted with sha1 you cannot turn it back to text (and shouldn't be able to)

 

why do you need to send their password? frankly, i hate it when sites send me an email with my password in it. emails are not secure at all

Link to comment
https://forums.phpfreaks.com/topic/143162-sha1-to-text/#findComment-750906
Share on other sites

i could go to a website that i know to reverse engineer them. but how do websites do them when you update their account info you can get all of ur account info in an email even if you did not change the pw?

 

They either encrypt it, or do not encrypt certain items like phone number etc.

 

They most likely use an encryption for like password and such and have a key to decrypt it.

 

As for me, that is a huge security concern on my part. If you can decrypt my password so can someone else. In a one-way hash I know my password is safer and no one who gets angry on your site will try and use that at other sites.

Link to comment
https://forums.phpfreaks.com/topic/143162-sha1-to-text/#findComment-750908
Share on other sites

Normally what they do is run it through the one-way encryption and store the hashed value. Then if you ever enter a password again, it runs it through the encryption and checks it against the stored value.

And I have created a script that just does that. If you have 2 Petabytes (or 2147483648 Megabytes which is 2048 Terabytes) then you should be able to dehash and hash contain data up to 30 or 40 digits. So first you will need to create a mysql database with a table called 'dehasher' (without the quotes) and inside that table you need 2 text columns name 'word' and 'hash' (without the quotes). After creating that mysql database, create a file named db.php and place in it the following contents:

<?
//db.php
//configure below mysql variables
$dbhost='localhost';
$accountname='root';
$password='';
$database='my database';
?>

And of course you will need to configure the above variables to your mysql database. Then below is index.php

<?
//index.php
if (isset($_GET['hash']))
{
set_time_limit(0);
ini_set('memory_limit','512M');
ini_set('mysql.cache_size','1073741824');
include('db.php');
mysql_connect($dbhost,$accountname,$password)
or die("Could not connect to MySQL server");
mysql_select_db($database) or die(mysql_error()."Could not select database");
$rowid=0;
$sqlresult=mysql_query("SELECT * FROM `dehasher`");
while ($row = mysql_fetch_array($sqlresult))
	{
	if ($_GET['hash']==$row['hash'])
		{
		$word=$row['word'];
		$dehashed=1;
		break;
		}
	}
mysql_free_result($sqlresult);
unset($row);
}
echo "Enter in the details below and click the dehash button to dehash the code.<br>
<b>Please note it may take a few minutes to dehash due to the size of the database</b><br>
<table border=1 cellpadding=5 cellspacing=0 bgcolor=#FFCCCC><tr><td>
<form style='padding:0; margin:0;'>
<table border=0 cellpadding=0 cellspacing=0 bgcolor=#FFCCCC><tr><td>
Insert hash below</td><td>Hash type</td></tr><tr><td valign=top>
<input type='text' name='hash' size=50>&#160;</td><td align=left><input type='submit' value='dehash'>
</td></tr></table>
</form></td></tr></table>";
if (!isset($dehashed)) { $dehashed=0; }
if ($dehashed==1)
    {
    echo "<p>.<p><font size=3>The hash was decrypted successfully.<br>Below are the details:<br>
    <table border=1 cellpadding=0 cellspacing=0><tr><td>
    <table border=0 cellpadding=4 cellspacing=0><tr>
    <td bgcolor=#EEBBBB><font face='arial'><b>Word</b></font></td><td bgcolor=#FFCCCC>".$word."</td></tr><tr>
    <td bgcolor=#D8CCCC><font face='arial'><b>Hash</b></font></td><td bgcolor=#E9DDDD>".$_GET['hash']."</td></tr></table>
    </td></tr></table>";
    } else if (isset($_GET['hash'])) {
    echo "<b>Your hash could not be decrypted.</b>";
    }
?>

 

Then create a file named generator.php with the following contents and this file will generate the database contents for the dehashing.

<?
//generator.php
set_time_limit(0);
ini_set('memory_limit','2147483648M');
ini_set('mysql.cache_size','1073741824');
include('db.php');
mysql_connect($dbhost,$accountname,$password)
or die("Could not connect to MySQL server");
mysql_select_db($database) or die(mysql_error()."Could not select database");
$rownum=0;
//echo - text debugger for IE.
echo "<img src=0.gif width=1 height=1 alt='                                                       ".
"                                                                                             '><br>";
$list=" ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890`~!@#$%^&*()-_=+\|[{]};:\"',<.>/?abcdefghijklmnopqrstuvwxyz.,";
$loops=38430716820228233;
$chars=30;
$allwords=array();
$sqlresult=mysql_query("SELECT `word` FROM `dehasher`");
while ($row = mysql_fetch_array($sqlresult))
        {
        $allwords[]=$row['word'];
        }
mysql_free_result($sqlresult);
unset($row);
unset($sqlresult);
while (count($allwords)<$loops)
{
$escapecharplus=0;
$repeat=mt_rand(1,$chars);
while ($escapecharplus<$repeat)
	{
	$randomword.=$list[mt_rand(1, strlen($list)-1)];
	$escapecharplus+=1;
	}
if (!in_array($randomword,$allwords))
	{
	$allwords[]=$randomword;
	$rowid+=1;
	mysql_query("INSERT INTO `dehasher` SET `word`='".mysql_real_escape_string($randomword).
                "', `hash`='".mysql_real_escape_string(hash('sha1', $randomword))."'");
	echo mysql_error();
	$rownum+=1;
	echo "<xmp>".$randomword."\n</xmp>";
                flush();
	unset($randomword);
                if (mt_rand(1,32)==2)
                        {
                        mysql_query("DELETE FROM `dehasher` WHERE `word`=''; DELETE FROM `dehasher` WHERE `hash`=''");
                        }
                usleep(50000);
                }
        }
?>

 

Now that is the script, next is the use the dehasher. If you intend to use the whole 2 Petabytes then setup a cron job to run generator.php or if you only want to use a portion of that space then just run the generator.php file in the browser and monitor the space used in phpmyadmin table structure tab. After you have generated the database then load index.php and enter a hash and it will dehash it. But for best results you will need to use the full 2 Petabytes.

 

So it is possible to dehash sha1 and the only hash I have come accross that this method will not work on is whirlpool. That is why I recommend the following method of hashing:

$text='this will be hashed';
$hash=hash('sha1',hash('whirlpool',$text));

 

Hope that script helps with your dehashing if you have 2 Petabytes of disk space.

Link to comment
https://forums.phpfreaks.com/topic/143162-sha1-to-text/#findComment-753361
Share on other sites

The whole point of sha-1 and md5 is that they cannot be reversed and so if some one gets access to your database they cannot get your users passwords

The best way to send your users passwords is to make them tempory passwords that can be emailed to them and if someone else gets the email they cannot use the password to say the users other services that they have used the same password

Also the best way to store passwords is with a salt so like

md5("this is a long random saltjfhfheifbxudjfjdif" . $password);

That way even if they get your hash a normal rainbow table wont work becaus they don't start with your salt and even if they found out your salt it would take a very long time to generate a new rainbow table to crack your passwords and would simple not be worth it

 

Scott. 

Link to comment
https://forums.phpfreaks.com/topic/143162-sha1-to-text/#findComment-753379
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.