-2

how do i decrypt this type of hashing encryption as i do not know the method or have the decryption codes?

 public string EncryptPassword(string password)
        {
            var bytes = new UTF8Encoding().GetBytes(password);
            byte[] hashBytes;
            using (var algorithm = new System.Security.Cryptography.SHA512Managed())
            {
                hashBytes = algorithm.ComputeHash(bytes);
            }
            return Convert.ToBase64String(hashBytes);
        }
    }
mason
  • 31,774
  • 10
  • 77
  • 121
thlakkh thlakkh
  • 1
  • 1
  • 2
  • 2
    Hashing is one-way transformation. – Nino Apr 20 '17 at 13:42
  • Hashing is not the same as encryption. For simpler hash algorithms you could try brute-forcing with a rainbow table, but [probably not for SHA512](https://security.stackexchange.com/questions/44171/are-there-sha-512-rainbow-tables-available) – stuartd Apr 20 '17 at 13:43
  • I suspect you want to be able to send the password back to the user. Before you decide that it is better to not hash the password, see [Best practice of Hashing passwords](http://stackoverflow.com/a/20186472/402022) and [Recover / Reset lost password options via email](http://stackoverflow.com/a/13330223/402022). – Theraot Apr 20 '17 at 13:49

2 Answers2

3

You can't decrypt that value because SHA512 is a one way hash.

Here's some more info about how it can't be decrypted: How to decrypt SHA-512 hashed data

Community
  • 1
  • 1
Avitus
  • 15,640
  • 6
  • 43
  • 53
  • so can i just remove it from my project without any creating any errors? – thlakkh thlakkh Apr 20 '17 at 13:45
  • @thlakkhthlakkh i don't think you should just remove such function... It will probably have impact on user's logging etc... – Nino Apr 20 '17 at 13:46
  • 1
    You should probably want your passwords to be encrypted but yes you can remove the encryption if you wanted clear text passwords – Avitus Apr 20 '17 at 13:46
  • okay thanks for the info but i need the user password to do my password recovery email so i should decrypt and add back the password one by one? – thlakkh thlakkh Apr 20 '17 at 13:49
  • You should probably use a two way encryption such as found here: http://stackoverflow.com/questions/202011/encrypt-and-decrypt-a-string – Avitus Apr 20 '17 at 13:50
  • 6
    @thlakkhthlakkh That's not a good practice. If a user forgets their password, send them a new password. And then once they login for the first time with that new password, force them to create a new one. – mason Apr 20 '17 at 13:50
  • but be sure to only remove encryption if it's only "your" passwords - I don't care what happens to your passwords but if it is menat for storing users' passwords hashing is a "must have" - and while SHA512 isn't very bad it's still far from "state of the art". – piet.t Apr 20 '17 at 13:51
  • @thlakkhthlakkh Once I get an email from you containing *my* password in cleartext I'll use every channel available (starting with http://plaintextoffenders.com/) to proclaim your app/site/... does not honor basic security principles and should be avoided at all cost. – piet.t Apr 20 '17 at 13:53
  • 1
    "That's not a good practice." is putting it lightly. **Never** do this. – msitt Apr 20 '17 at 13:56
  • You don't need a password for password recovery, you need a separate channel for confirming identity so that a new password can be set. What would you do if you could find the password, send it in an email and render it useless? – Jon Hanna Apr 20 '17 at 13:56
0

It's good to hash passwords kept in your database because they can't be reversed. People have a tendency to use the same password on different systems, increasing the risk that an attacker can learn a password from one system and try it on another system. You're protecting your users when you hash their passwords in case your system is compromised.

Technically, your function should be named "HashPassword" rather than "EncryptPassword" because encryption and hashing are not the same thing. Encryption is reversible-- you can decrypt and get back your original content. Hashing is "one way"-- it's like summing up a list of numbers. You can verify that the numbers haven't changed by summing them up again and comparing, but you can't generate the list of numbers from only the sum. Hashes work in much the same way.

Your best option moving forward is to continue working with hashes and to create processes and policies that don't require knowing a user's password. On login, you hash the submitted password and compare hashes instead of directly comparing passwords. If someone can't remember their password, you e-mail them a token that lets them reset their password rather than e-mailing them their password.

phatfingers
  • 9,770
  • 3
  • 30
  • 44