1

Is there a way to decrypt PBKDF2 password in java. Java has implementation of PBKDF2 algorithm as PBKDF2WithHmacSHA1. I got the code to create hashes for password. I referred to below link for hashing technique:

http://howtodoinjava.com/security/how-to-generate-secure-password-hash-md5-sha-pbkdf2-bcrypt-examples/

My requirement is to store the third Party FTP server password in the encrypted format and get back the password in plain text form from DB when there is a need to login into the server. Can anyone suggest best password encryption method?

Pritam Banerjee
  • 17,953
  • 10
  • 93
  • 108
Ayush Goyal
  • 63
  • 1
  • 2
  • 11
  • 2
    PBKDF2 is used to generate encryption keys from passwords. There is no encrypted passwords involved with PBKDF2. – Ebbe M. Pedersen Feb 17 '17 at 08:55
  • The problem is saving decrypt-able passwords is in general not secure. Special precautions need to e used to ensure the encrypted passwords are not on a server that is directly connected to the Internet or use an HSM. Unless assess to the clear passwords is absolutely necessary, no other way exists it should not be done. – zaph Feb 18 '17 at 14:41
  • Possible duplicate of [Decrypt Password Created by crypto.pbkdf2 Object](http://stackoverflow.com/questions/24563847/decrypt-password-created-by-crypto-pbkdf2-object), [How to decrypt pbkdf2 encrypted text without knowing the IV](http://stackoverflow.com/q/16987336/608639), [Decrypting rfc2898 password](http://stackoverflow.com/q/33796138/608639), [About how fast can you brute force PBKDF2?](http://stackoverflow.com/q/11298184/608639), etc. – jww Feb 20 '17 at 05:28
  • piet.t's answer is correct for me. @ajush your real question is not about encryption. It's about storing a password that should remain readable by some automated process even after a reboot with no manual operation. You should create another question for this (if there is not already, that I doubt of). – Laurent Caillette Sep 07 '17 at 06:40

2 Answers2

17

Note that PBKDF2 is a hashing-method rather than an encryption-method (to be precise: it is a method to derive an encryption-key from a password but it is frequently used as a password-hashing method as well). The whole point of PBKDF2 is to make it impossible to get the original password other than by brute-force guessing and make that as hard as possible too.

If you are talking about your users' passwords: you should not be able to get them in clear at all - if you did and let me know (e.g. by showing me my password) I'd instantly mark your whole site as insecure.

If you need to keep an encrypted password for your application to access another service then PBKDF2 is the wrong tool for the job, use a real encryption-algorithm like AES instead.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
piet.t
  • 11,718
  • 21
  • 43
  • 52
  • @Artjom B Piet.t - Thanks for this information,it helped me google out things more clearly about user security My requirement is to store the third Party FTP server password in the encrypted format and get back the password when there is a need to login into the server **Can you suggest a best way to do it.** – Ayush Goyal Feb 20 '17 at 04:53
  • I know I am a 'little late', any google search will tell you - hashing is one way, encryption is reversible. So as suggested you can use AES or any other reversible encryption to recover the password. – Shashikant Soni Mar 21 '18 at 09:28
  • ... and rather a key derivation function than a hash – Sam Ginrich Jul 06 '23 at 16:37
1

No it's impossible by design! Wonder why?

Following 2 articles will answer all your questions: https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/ https://crackstation.net/hashing-security.htm

Daniel Gartmann
  • 11,678
  • 12
  • 45
  • 60
  • Thanks for this article,helped a lot My requirement is to store the third Party FTP server password in the encrypted format and get back the password from DB when there is a need to login into the server. Actually there will be a need to login into the server every 10-20 minutes **Can anyone suggest any password encryption method** – Ayush Goyal Feb 20 '17 at 05:13
  • Well that's just delegating the problem to the next level. Let's assume you picked algorithm X. How do you intend to protect the encryption key that you will use in order to encrypt the FTP server password? – Daniel Gartmann Feb 22 '17 at 19:41
  • All the relevant information is contained in the linked articles. That makes this a link-only answer. Please add a summary of the linked articles. Link-only answers are not acceptable because links die, and when they do the answer become useless. – President James K. Polk Dec 03 '20 at 21:29