0

I am new to asp.net mvc language. I see this code using System.Security.Cryptography; for what I have search in Google it is for making a salt + hash passwords.

My question is can it be decode using c#?.

TraF TraF TraF
  • 47
  • 2
  • 3
  • 14
  • See [How to securely hash passwords?](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) on security.se. – CodesInChaos Sep 28 '16 at 09:17

3 Answers3

1

Short answer: no.

See also https://en.wikipedia.org/wiki/Hash_function

Correctly salted hashes cannot be reverted, which is the point of doing that.

Florian Heer
  • 694
  • 5
  • 17
1

You would be correct in saying that.

The short answer is no. Hashing provides a 1-way interface for obscuring data where as encryption provides a 2-way interface for the encryption of data / decryption of encrypted data.

The only way an hash cant be 'decrypted' and I use that term loosely is by brute forcing via the hashing method. This is done by running a bunch of password and salt combinations through the same hashing method until a match is found to the original hash. However with a strong hashing method and password + salt this can become an almost impossible task.

Helpful Discussion: Fundamental difference between Hashing and Encryption algorithms

EDIT:

The link of the online cryptographer you provided uses what is known as a Symmetric-key algorithm. This means that a single key is used for the encryption and decryption of the data.

https://en.wikipedia.org/wiki/Symmetric-key_algorithm

Community
  • 1
  • 1
Duncan Palmer
  • 2,865
  • 11
  • 63
  • 91
0

No. Not easily.

A Hash will take some text and produce a number ( usually )

eg, a md5 hash 

password =>  5f4dcc3b5aa765d61d8327deb882cf99

By the nature of the hash, there is no easy way to get back from the number to the original text "password"

But, for the semi clever hacker, you can generate hashes using a dictionary of all words and in reasonable time crack most hashed passwords because people use common combinations of words and symbols. So if you happen to get a list of hashed passwords you can run a dictionary attack on them. Anyone who uses "password" as their password will end up having the same hash.

So as a defense to that, if you add some text unique to each user, a Salt, say, your username, now you've made it harder :-

your string to hash becomes "Yukkipassword" which hashes to 52fbd06f5b93a51b3f3cd9e807a9f61c

Now everyone who uses "password" for their passsword will also have a different hash, and it becomes really difficult to dictionary attack the password

Keith Nicholas
  • 43,549
  • 15
  • 93
  • 156
  • So its impossible to decode right?. If possible then it takes a lot of time to decode it? – TraF TraF TraF Sep 27 '16 at 01:50
  • that's correct, it would take a long time across a large number of hashed passwords. But for one individual it is feasible to do an attack with a good guess of what the salt might be. ( depends on what data you manage to get hold of ). A Salt should try and be more complicated than just username. for instance you might user, signup date, email, etc. But a hacker may get hold of this info too, so it has its limits – Keith Nicholas Sep 27 '16 at 01:58
  • Yes, if done perfectly, 'decoding' a hash will take more time than we expect the universe to exist. This is protection of information, if reverting was easy or quick, the whole point of the exercise is gone. – Florian Heer Sep 27 '16 at 01:58
  • Thanks for the info both of you. – TraF TraF TraF Sep 27 '16 at 02:00