5

One must store the hashed password in the database for security reasons.

If a user does not remember their account password, how can they retrieve it back? I can only share their hashed password at this stage, which is useless to them.

Can you recover the password if it is hashed by md5, sha1 with additional salt?

Suraj
  • 932
  • 5
  • 23
  • 43
  • 4
    A hash is like a meat grinder. You can turn a cow into ground beef, but you cannot turn ground beef into a cow. – Neil McGuigan Oct 30 '13 at 22:21
  • 1
    **Exactly!** And to extend the analogy ... what you *can* do is keep grinding different cows *until you get ground beef that tastes exactly like the ground beef you have*. If this seems inefficient, you're right - it's *designed* to be. That's why it's deeply wrong to say that hash cracking is "dehashing" or "reversing" or decrypting" anything. There is no inversion of the original operation. All you can do is *duplicate the operation and compare the results*. That's hash cracking. – Royce Williams Mar 13 '22 at 22:56

6 Answers6

18

There is but one simple answer: You cannot.

Well, theoretically you could, but it could take many years per password if they are long enough. After all, that is the point of hashing passwords in the first place: to make the data effectively useless to an attacker (or at least protect the user's plaintext password, which is sensitive data.)

Just have the site send a "change your password" email containing a link to a page where that user can change his/her password. This is how most professional sites handle this dilemma.

hb2pencil
  • 892
  • 1
  • 8
  • 13
  • 6
    and this is why the password strength of most professional sites is equivalent to the password strength of the email account you use to sign up for it! – Peter Ajtai Sep 01 '10 at 06:16
  • That's true :) It still beats security questions for this though. – hb2pencil Sep 01 '10 at 06:19
  • 1
    http://tools.benramsey.com/md5/ md5 hash reverse tool. Good passwords probably won't exist in the db however. – Ben Rowe Sep 01 '10 at 06:21
  • @Ben That site could be useful as a component of a password-screening process. I.E. If the new password's MD5 hash is in the DB, have the user create one that is more secure! :) – hb2pencil Sep 01 '10 at 06:28
  • 4
    If you use a per-user random salt, sites like that are irrelevant. – Matthew Flaschen Sep 01 '10 at 06:33
5

This is meant to be intractable. Thus, you usually have to provide some way of resetting it. Sending a special link to the user's email is common, though it reduces your security to that of the email account.

See Forgot Password: what is the best method of implementing a forgot password function? .

Community
  • 1
  • 1
Matthew Flaschen
  • 278,309
  • 50
  • 514
  • 539
4

The security of hashing instead of encrypting the password is that you cannot reverse a hash. If you could unhash the password and give the user their plain text password, then any hacker can reverse the hashed password you use for registration and sign in and "dehash" it to get the user's password.
This is a feature, not a bug.

chustar
  • 12,225
  • 24
  • 81
  • 119
1

hashing itself stands for "cannot be retrieved back".

If a user cannot remember their password, they don't need this one for sure.
Just create another random one and send them.
Not a big deal.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

yes..one may forgot his/her password..the good practice while using hashed password would be to make the user type the email address of the account whose password he/she want to reset then the system will reset the users password with another generated password. The MD5 like hashed password is almost impossible to retrieve the original password from the hashed one

Rahul TS
  • 1,208
  • 7
  • 26
  • 53
0

Always beware sites that can e-mail you the password you use. That means your password is easily seen by anyone who has access to the password database, which is especially dangerous if you reuse passwords.

For password resetting, I recommend using 'safe questions' with answers that are also encrypted.

It behooves all those who operate websites to keep their customers reasonably safe from hackers.

Sledgehammer
  • 1