-2

Update:

SHA-512 is one-way so I will need to not attempt to crack passwords because it is easier to simply reset a password. If someone is aware of getting the original password from a SHA-512 hashed text, please let me know. Otherwise, I am moving on from this question. Thank you for all of your answers.

Original Question:

I have read a lot of articles that state that SHA-512 hashing cannot be unhashed. However, there is a source code for the various SHA-1 + algorithms here: https://tls.mbed.org/sha-512-source-code.

I would like to know if it is possible to reverse this coding, in a way, to decrypt SHA-512 hashed text. Linux encrypts their passwords with SHA-512 hashing. As a systems administrator, I would prefer to simply decrypt or unhash this information as needed, rather than guessing whether a password is correct or incorrect and see if the hash matches. Creating new passwords can cause a lot of extra time and money. If you do not feel comfortable publishing this information and would like to discuss it privately, feel free to request my contact information.

Thank you!

Community
  • 1
  • 1
technerdius
  • 253
  • 3
  • 6
  • 16
  • "Creating new passwords can cause a lot of extra time and money." really? how much? "If you do not feel comfortable publishing this information" There is no secret handshake, it is fact non-reversible. – zaph Mar 09 '16 at 18:23
  • 3
    not to mention that, even as a system administrator, cracking your user's password is not ethical at all. – saljuama Mar 09 '16 at 18:26
  • Anything I do, including cracking, would get approval by a client. So, this would be ethical. – technerdius Mar 09 '16 at 18:29

3 Answers3

19

Why do you not believe what you have read?

Cryptographic hash functions can not be reversed.

Thought experiment: You have 200 bytes you pass to SHA512, out come 64 bytes. Something has been lost. How do you regain what is lost?

In a similar manner if you have an integer, say 123, and mod by 10 the result would be 3. Now reverse that–oh it could have been and of 3, 13, 23, 33, 123, 9343453, *3.

zaph
  • 111,848
  • 21
  • 189
  • 228
  • Right, then theoretically, I could take those potential results and test if they are the correct password. But, I see that this is so much more complicated that simply resetting a password. If what I said makes any sense to you, let me know and I'll be happy to continue pursuing answers of how to find the possible passwords from a hash so I can have a script written to test those possibilities. – technerdius Mar 09 '16 at 18:37
  • 2
    There are hacking programs available that will take a list of potential passwords and try them looking for a solution, this methos is brute force. There are also [lists of passwords](https://github.com/danielmiessler/SecLists/tree/master/Passwords) by frequency. But essentially resetting the password is the only viable solution and the correct/secure solution. – zaph Mar 09 '16 at 18:50
  • I saw one for Windows but none for LInux. – technerdius Mar 09 '16 at 18:58
10

I have read a lot of articles that state that SHA-512 hashing cannot be unhashed.

Yes. That is the definition of "hash". This has nothing to do with SHA-512. The definition of a hash function is that it cannot be reversed. Period. If it can be reversed, it's not a hash.

I would like to know if it is possible to reverse this coding, in a way, to decrypt SHA-512 hashed text.

No, you can't decrypt it, because it isn't encrypted, it's hashed.

Linux encrypts their passwords with SHA-512 hashing.

No, it doesn't. It hashes them, it doesn't encrypt them.

As a systems administrator, I would prefer to simply decrypt or unhash this information as needed, rather than guessing whether a password is correct or incorrect and see if the hash matches. Creating new passwords can cause a lot of extra time and money. If you do not feel comfortable publishing this information and would like to discuss it privately, feel free to request my contact information.

As a systems administrator, if you don't understand the difference between encryption and hashing, please tell me where you work, so that I never ever accidentally become of customer of yours! The Pigeonhole Principle is so simple and obvious that it can be understood by a child.

Jörg W Mittag
  • 363,080
  • 75
  • 446
  • 653
  • Thank you @Jorg W Mittag for your reply. I am sure you feel proud of your answer. I understand the difference between hashing and encryption. I need to review what I write before publishing. I reviewed the Pigeon Principle and yes, it is easy to understand. I just wanted to see if anyone has ever come up with a way to unhash data. Apparently, it is impossible to do since it is "one way", so I will just reset passwords as usually when those situations arise. – technerdius Mar 09 '16 at 18:28
4

The articles you have read are correct.

However, if for example, a user uses a dictionary word, and you aren't salting your hashes, then those circumstances are open to dictionary attacks. Which is why no-one worth their salt, pun intended would use a hash algorithm without a salt.

Frankly I find it unlikely a systems administrator would need to get a password, as generally they have impersonation rights.

blowdart
  • 55,577
  • 12
  • 114
  • 149
  • 3
    Isn't hashing a one-way operation anyway? To me it sounds as if OP thinks the algorithm can simply be run in reverse. – Jongware Mar 09 '16 at 18:18
  • It is. Which is why a pre-computed dictionary would be a possibility. Or judicious use of rainbow tables. And luck. Lots of luck. – blowdart Mar 09 '16 at 18:19
  • I am always amazed by such questions. The Pigeonhole Principle is so simple and obvious that it can be understood by a child. – Jörg W Mittag Mar 09 '16 at 18:19
  • 2
    Maybe jquery could help. – blowdart Mar 09 '16 at 18:20
  • @blowdart That makes sense. The reason I thought this possible in the first place is because I saw some websites that have javascript that can unhash SHA-1. So, naturally, I thought this might be done with SHA-256, 512, etc. "The Pigeonhole Principle is so simple and obvious that it can be understood by a child." There really is no need to degrade someone for their curiosity my friend Jorg W Mittag. – technerdius Mar 09 '16 at 18:39
  • This is a question of pure curiosity, not necessarily "need", if you will. I have a lot of curiosity when it comes to programming and computers because I love this stuff. So, I know there are easier work-arounds available. Thank you for your answers. – technerdius Mar 09 '16 at 18:42
  • Thank you for that [link](https://github.com/danielmiessler/SecLists/tree/master/Passwords). – technerdius Mar 09 '16 at 21:04