-3

I have over 15k registered accounts in a database. I want to decrypt all passwords and then convert them to another format. Passwords are hashed using SHA-256.

jb.
  • 23,300
  • 18
  • 98
  • 136
Ionuț
  • 55
  • 1
  • 1
  • 9
  • 1
    You can't "decrypt" the passwords - they aren't *encrypted*, they're *hashed* (and, hopefully, salted), irreversibly. Read e.g. http://stackoverflow.com/questions/2235079/is-it-possible-to-reverse-a-sha1 – jonrsharpe Jun 01 '14 at 13:05
  • Do you know any other format safer and better than sha256 hash ? – Girish Jun 01 '14 at 13:23
  • This is a duplicate of: http://stackoverflow.com/questions/2235079/is-it-possible-to-reverse-a-sha1 – jb. Jun 01 '14 at 13:42
  • If you want to switch to a more secure hash algorithm, the answer to this [question](http://stackoverflow.com/q/14399750/575765) may be of help. – martinstoeckli Jun 01 '14 at 19:24

1 Answers1

3

SHA-256 is not an encryption algorithm. It is a hashing algorithm. There is no way to reverse SHA-256 (if there were, it would not be a secure hash). It is unclear what you mean by "another format," but your problem is not likely solvable directly.

You will need to modify the hashing as each person resets their password, and keep track of which ones you have modified. You can bound this problem by expiring the passwords and forcing everyone to update them.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610
  • I understand, but is there any way, say hypothetically, to decrypt all passwords in a database if you know the exact format? – Ionuț Jun 01 '14 at 14:46
  • 1
    I don't understand how this question follows "I understand". It is not meaningful to "decrypt" any hash. It is not feasible to reverse a secure hash. "Format" is irrelevant. You can of course try to crack your users passwords (by guessing lots of likely passwords and comparing the hashes). You would likely be successful in getting some number of them, particularly if you have failed to correctly salt before hashing. But you would be left with many that you could not crack (and I don't recommend using these techniques against your own users in any case). – Rob Napier Jun 01 '14 at 15:02