-4

This is my password encrypting code :

// Create a 256 bit (64 characters) long random salt
// Let's add 'something random' and the username
// to the salt as well for added security
$salt = hash('sha256', uniqid(mt_rand(), true) . 'something random' . strtolower($username));

// Prefix the password with the salt
$hash = $salt . $password;

// Hash the salted password a bunch of times
for ( $i = 0; $i < 100000; $i ++ )
{
    $hash = hash('sha256', $hash);
}

// Prefix the hash with the salt so we can find it back later
$hash = $salt . $hash;

I lost the tutorial site. Do anyone know how to decrypt this encryption. Thank you very much. Appreciate your help

Redzwan Latif
  • 886
  • 3
  • 14
  • 38
  • 1
    You cannot 'decrypt' hash - it is one-way function by definition. You can encrypt something which was _encrypted_, not _hashed_ – Alma Do Aug 29 '13 at 10:50
  • if you want to check if the password is correct just run your normal password text through the same hash function and then compare the result with what you have stored – bansi Aug 29 '13 at 10:53

2 Answers2

9

There is no *de*cryption algorithm because there's no *en*cryption algorithm. What you're doing is a hash, which is a non-reversible operation. And that's exactly the point, you do not want to store anything that would even allow you the chance of knowing what the actual secret password is.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • This should be a comment, I guess – Alma Do Aug 29 '13 at 10:51
  • But it's the answer. I'm not supplying some meta criticism of the question, I'm answering it. – deceze Aug 29 '13 at 10:53
  • 1
    +1, because you beat me to it (as ever :-P), and because this is indeed the only possible answer to the question – Elias Van Ootegem Aug 29 '13 at 10:56
  • Then, again, I'm lost in 'unwritten rules' of SO. I was highly downvoted in past for such kind of answers.. Nothing personal - if that's ok - I'm glad. – Alma Do Aug 29 '13 at 10:56
  • 1
    @Alma Whatever you do it's wrong sometimes. There's always someone who wants SO to work differently than other people. That's the burden of a democratic system I suppose. ;) – deceze Aug 29 '13 at 10:58
  • 1
    @Elias Maybe we should call dibs in the comments before answering... ;) – deceze Aug 29 '13 at 10:59
  • @deceze: You'll still beat me to it there, too... At least this way (both basically answering the same thing) I can pick up some rep ;-) – Elias Van Ootegem Aug 29 '13 at 11:03
2

A hashing function is not the same thing as encryption. Check the Wiki on hashing. Bottom line is: a hash is a one way algorithm. You can't decrypt it in one go. You could brute-force it, but (especially with sha256) that would take ages. If you were to have a machine, dedicated to cracking a sha256 hash, it'd take ~= 10^64 years!. If 10^64 is meaningless, here's the number in full:

100.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000

And even then, there's no guarantee the result will be right: you could end up with a hash collision (google it). If you do: cheer up, you'd be the first, AFAIK.

For more on encryption vs hashing, refer to this answer to a previous SO question

So the answer is: You can't decrypt (or rather de-hash) what you have.

Community
  • 1
  • 1
Elias Van Ootegem
  • 74,482
  • 9
  • 111
  • 149
  • 1
    I can't agree with your view on concatenation. It makes the hash much more portable and keeps your database schema more compact. The hash and the salt always go together anyway, why not store them together? The "overhead" is terrifically negligible compared to the increased headache of portability. – deceze Aug 29 '13 at 11:04
  • 1
    @deceze You're right... creating additional fields in a table, or storing them in another table (requires more complex queries) might even cause more overhead (as PHP's string functions are fast). I removed it from my answer, added bit about theoretical time it would take to brute-force a sha256 hash instead – Elias Van Ootegem Aug 29 '13 at 11:21