1

I am storing user encrypted password in database.

code :

String username = "admin";
String encrypted_password = createPassword("admin$321"); 
// $shiro1$SHA-256$500000$mAXboFyyOtBVoGi6AD8LXw==$acHoVyuQyOSOKfjqwAHXyEVTH7p9cH79yI+0O15NS0U=
System.out.println(getOriginalPassword(encrypted_password));

private static String createPassword(String password) {
DefaultPasswordService passwordService = new DefaultPasswordService();
DefaultHashService hashService = new DefaultHashService();
hashService.setHashIterations(passwordService.DEFAULT_HASH_ITERATIONS);
hashService.setHashAlgorithmName(passwordService.DEFAULT_HASH_ALGORITHM);
hashService.setGeneratePublicSalt(true);

passwordService.setHashService(hashService);
String encryptedPassword = passwordService.encryptPassword(password);
System.out.println(encryptedPassword);
return encryptedPassword;
}

private static String getOriginalPassword(String encrypted_password) {
    return null;
}

how to decrypt stored password..?

Torben
  • 3,805
  • 26
  • 31
Developer Desk
  • 2,294
  • 8
  • 36
  • 77
  • 1
    So, just to be clear on that: you are asking how to decrypt a password that has been encrypted by yourself? Shouldn't you know both sides of the algorithm before using it? – GhostCat Apr 02 '15 at 09:03
  • 2
    Contrary to @Torben's answer, the way that password checking is *always* done in competently designed secure systems that are not vulnerable to legal non-repudiation actions is to *hash* the password with a secure hash algorithm, and to compare the *hashes.* it should be quite impossible for such a system to recover the plaintext password. If you are designing a system that is suppose to be capable of doing so, you are doing it wrong, not just technical but legally, in ways that can break your company. Take competent advice before proceeding further. – user207421 Apr 02 '15 at 09:15
  • @EJP Isn't that just what I said? – Torben Apr 02 '15 at 09:17
  • More reading on this: http://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database – Petr Janeček Apr 02 '15 at 09:51
  • @Torben I think EJP is trying to highlight the difference between _encryption_ and _hashing_; encryption suggests there is a mechanism to decrypt, whereas hashing is one-way and not reversible – fspinnenhirn Apr 07 '15 at 18:45
  • You cannot recover to original password after hashing it with one way hashing function. Just be clear hashing and encryption. They are totally different – thoitbk Apr 10 '15 at 16:44

1 Answers1

0

How password checking is commonly done is that you encrypt the password provided by the user and compare the result with the encrypted password that is stored in database.

If you need to decrypt passwords, then you have done something wrong and it would help us answer better if we knew why you need to decrypt them.

If you can decrypt the stored passwords, then there is not much point in encrypting them in the first place because the point of encryption is to keep the passwords safe from prying eyes. If you can decrypt them the encryption is a nuisance, not a security feature.

Torben
  • 3,805
  • 26
  • 31
  • I am making user panel where admin / manager will edit user info as well as change user password. I am not storing password in plaintext in database..... – Developer Desk Apr 02 '15 at 09:16
  • 1
    Then you do not need to decrypt the old password. Just encrypt the new password and store it. – Torben Apr 02 '15 at 09:17