0

I am using this piece of code to encrypt my password:-

 public function hashSSHA($password) {
     $salt = sha1(rand());
    $salt = substr($salt, 0, 10);
    $encrypted = base64_encode(sha1($password . $salt, true) . $salt);
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}

Now I realize that, I need reverse process of it. So I tried with this

base64_decode(sha1(str_replace($password, $salt), true) . $salt);

and this

base64_decode(str_replace(sha1(str_replace($password, $salt), true) , $salt));

to get my decrypted password, But none of working.

neooo
  • 241
  • 1
  • 4
  • 11
  • 5
    Just, don't. Reinventing password hashing is dangerous and pointless. Use [PHP's Password API](http://www.php.net/password). – Jonnix Jun 12 '15 at 20:32
  • you're not "encrypting", you're hashing. there's a major difference between the two: crypting is reversable, hashing isn't. – Marc B Jun 12 '15 at 20:42
  • In the future, take a look at [this answer about storing passwords in PHP](http://stackoverflow.com/a/401684/1122242). – moveaway00 Jun 12 '15 at 20:48

1 Answers1

1

Don't store encrypted passwords, store hashes. Just asking for trouble. PHP docs have a decent tutorial on this.

Edit after comments: for forgot your password forms, you should only need to request their email. Send them an email with a link which includes some random value in the get which you also store in the database table. Confirm the values match, and let them change their password. Afterwards, change the value in the database to invalidate the link you sent them.

twentylemon
  • 1,248
  • 9
  • 11
  • OP is using hashes, not encryption. Also, this isn't really an answer, but the link is useful, maybe add it to the comments instead. – Jonnix Jun 12 '15 at 20:36
  • I would have left a comment, just it requires 50 reputation for some reason. – twentylemon Jun 12 '15 at 20:37
  • 1
    When the question is "how do I shoot myself in the foot", a valid answer is "don't shoot yourself in the foot" – moveaway00 Jun 12 '15 at 20:37
  • I am storing these "salt" => $salt, "encrypted" => $encrypted, So i have these details to retrieve back my encrypted password. – neooo Jun 12 '15 at 20:37
  • No, you don't, because you're using SHA1 to hash the password, which is lossy. But there's no legitimate reason to ever be able to get the raw password back out of your database. – moveaway00 Jun 12 '15 at 20:39
  • Actually this is old working code and many users info is saved like this, So i cant change algo now. Now i have only one option how i can retrieve my password back. – neooo Jun 12 '15 at 20:39
  • 1
    @moveaway00 Not without an explanation. You having a problem breathing doesn't make somebody replying "stop breathing then" an answer to your problem. – Jonnix Jun 12 '15 at 20:39
  • 1
    You *can't* retrieve the password. Cryptography at work. If this is a "forgot your password" type form, let the user change their password instead. – twentylemon Jun 12 '15 at 20:40
  • Ya this for forgot password. but how I validate users? thats why i want to decrypt their old password and send that to their registered email id. – neooo Jun 12 '15 at 20:42
  • Is this good if i create a random string and convert that again using this algo and save encrypted those data to DB and send that string to mail as password? – neooo Jun 12 '15 at 20:54
  • Not really. You shouldn't email plain text passwords. Emails aren't private. A post to your website should be though. – twentylemon Jun 12 '15 at 20:56
  • Actually this is for mobile app, And now we dont have free message service by which we can send user password on their mobile, So i am trying to use this approach. – neooo Jun 12 '15 at 21:00