2

So, I successfully encrypt a password to password hash using this following code :

class PassHash 
{

    // blowfish
    private static $algo = '$2a';
    // cost parameter
    private static $cost = '$10';

    // mainly for internal use
    public static function unique_salt() 
    {
        return substr(sha1(mt_rand()), 0, 22);
    }

    // this will be used to generate a hash
    public static function hash($password) 
    {

        return crypt($password, self::$algo .
                self::$cost .
                '$' . self::unique_salt());
    }

    // this will be used to compare a password against a hash
    public static function check_password($hash, $password) 
    {
        $full_salt = substr($hash, 0, 29);
        $new_hash = crypt($password, $full_salt);
        return ($hash == $new_hash);
    }

}

and this is how I encrypting the password :

 $password_hash = PassHash::hash($user->getPasswordHash());

But I have a little problem now when I try to display the password in normal mode.

What is the best way to decrypt the password from that hash ?

TableMan
  • 205
  • 3
  • 6
  • 15
  • 4
    A hash is a one-way thing. ====> Plus, anyone wanting to do that, shouldn't sign up on your site. – Funk Forty Niner Jan 23 '15 at 16:31
  • 2
    @TableMan you are doing it wrong. At several levels. The `"2a"` algorithm is flawed and you should be using `"2y"` version instead. Or even better: use the new [password API](http://php.net/manual/en/book.password.php). Also, using static classes are a really bad practice, because it acts like globally scoped code. Oh, and hashing random string lowers the possible entropy. And blowfish salt uses only 22 symbols. And [**read this**](http://stackoverflow.com/a/4948393/727208). – tereško Feb 27 '15 at 07:33

1 Answers1

5

You can't decrypt a hash (well... technically you can, but you shouldn't) that's what hashes are for (not to be decrypted). You'll want to encrypt(hash) the password you received with the same hashing algorithm you used for the stored hash, and compare the hashes with eachother.

$password_hash = PassHash::hash($user->getPasswordHash());
if($stored_password === $password_hash){
    //The passwords are the same
}

All in all you don't want to let anyone (not even yourself) know what the password of a user is (or the hash for that matter). The user will know, because he entered it and remembers it (hopefully anyway). No one else has got anything to do with seeing the user's password/hash. Letting anyone else but the user see/know the password/hash is a serious security issue.

On a different note: You should use the default implementations for hashing. Using your own hashing algorithm will always be worse than the true tried and tested methods. I'm not sure what PHP version you're using, but from PHP 5.5 onwards you can use password_hash(). For more information please view this question.

Community
  • 1
  • 1
Bono
  • 4,757
  • 6
  • 48
  • 77
  • I know how to compare it with my password, but I need to decrypt it to display it hahah – TableMan Jan 23 '15 at 16:39
  • 2
    @TableMan Even an administrator should not be able to see the user's password in plaintext like that. If you need to log in as the user, implement an account switcher. If you need to give them a password, use a password reset. – ceejayoz Jan 23 '15 at 16:43
  • @ceejayoz But what if this isnt the case, lets say you had this hashing system and you want to change it to a different hashing system, then how are you supposed to convert the password to the new system? Sometimes depending on the situation, you are left with no choice but to decrypt so what then? – MEX Aug 02 '15 at 22:54
  • 2
    @MEX When a user logs in, and has entered the correct data you can just use the inserted password to create a hash with the new algorithm. Then use the new hash with the updated algorithm. Or after the user logs in ask for the password again and let them know the reason why. – Bono Aug 03 '15 at 06:42
  • @Bono that is exactly what I have done for my issue ;) But This is one answer that most people will look for ;) – MEX Aug 03 '15 at 07:24