1

I am working on a project where I had got my password field value's hashCode and stored that hashCode in DB for security purposes.Now I want to recover the password from the hashCode.How can I do it? Is it possible to get the String value back from the hashCode?If it is not, can anyone suggest me a better way to store my password in anyother format?

Sandun
  • 395
  • 2
  • 10
  • 25
Ramesh
  • 2,297
  • 2
  • 20
  • 42
  • 3
    If you could recover your password from a hash, how would the hash be improving your security? – khelwood Jul 04 '17 at 08:41
  • 2
    You can't. Hash codes are not reversible, by definition. See the discussion under [tag:password-encryption] (your own tag). – user207421 Jul 04 '17 at 09:22
  • 1
    [Hashing in Java -> Get password from hash & salt](https://stackoverflow.com/q/38832367/608639), [how do i retrieve the original plaintext password of a hashed password](https://stackoverflow.com/q/23761505/608639), [Is there any way to retrieve the plain text password back when hashed](https://stackoverflow.com/q/12026149/608639), [Encrypt and decrypt a password in Java](https://stackoverflow.com/q/6592010/608639), [Retrieving password when the password stored as a hash value](https://stackoverflow.com/q/1013581/608639), etc. – jww Jul 04 '17 at 10:39
  • 1
    Java's HashCode and cryptographic hash functions are different things, but both cannot be reversed. – Artjom B. Jul 04 '17 at 16:53

4 Answers4

3

You know that several objects can have same hash(), as it mentioned in java doc for Object.hashCode()

It is not required that if two objects are unequal * according to the {@link java.lang.Object#equals(java.lang.Object)} * method, then calling the {@code hashCode} method on each of the * two objects must produce distinct integer results.

It's obvious you can't restore different objects from same hash code, so it's impossible at all, simple logic.

Vitaliy Moskalyuk
  • 2,463
  • 13
  • 15
2

Hashing is an one-way function (it should be at least), so you cannot recover the password from the hash.

However, you can apply the same hashing to any string and compare it to the hash of the password, so you can check if they match.

With good hashing, the chances of having two strings with the same hash are quite low, so you can compare the hash of the password (which you can store) and the hash of another string to determine if they are the same.

Another point is that hashCode is not a good way to produce such hashes, as we can easily having two objects with same hashCode. You can use implementations such as PBKDF2, BCrypt, etc.

Alberto Trindade Tavares
  • 10,056
  • 5
  • 38
  • 46
1

One technique is to brute-force it. Just run through every possible password. You can get through a surprising number if the the hashing algorithm is not designed to be computationally expensive.

If it's really String.hashCode then that's not cryptographically secure. Not by a long shot. As ΦXocę 웃 Пepeúpa ツ's answers aludes to, you can probably work backwards to one (of many) possible passwords by hand.

How should you do it? Use a well known cryptographic hash. Preferably one that can be made computationally expensive, such as bcrypt. Also you should salt the password (a random number combined with the password before hashing to prevent the use of compact precomputed lookup tables (rainbow tables) to crack on bulk). Essentially use someone else's library/system.

Tom Hawtin - tackline
  • 145,806
  • 30
  • 211
  • 305
0

not a good idea, hashCode should never ever be used as identifier to proof equality of objects...

consider this:

System.out.println("Aa".hashCode());
System.out.println("BB".hashCode());

both have the same HashCode 2112 but are holding completely different information

ΦXocę 웃 Пepeúpa ツ
  • 47,427
  • 17
  • 69
  • 97
  • Using hash codes as stored passwords relies on exactly this technique. The more important criteria are that passwords should not be recoverable, and that hash codes should not be reversible. – user207421 Jul 04 '17 at 09:21
  • so if your password is Aa you will get-in giving BB as well? – ΦXocę 웃 Пepeúpa ツ Jul 04 '17 at 09:22
  • Certainly, that's how hash codes work: they are a mapping from a large value space onto a small value space, and therefore not reversible, which, as I just said, is the real point. Non-reversibility of passwords is the solution to a [company-busting issue](https://stackoverflow.com/questions/2283937/how-should-i-ethically-approach-user-password-storage-for-later-plaintext-retrie/2287672#2287672). Your examples are hardly realistic, but every secure system on the planet uses password hashing rather than password encryption, by definition. – user207421 Jul 04 '17 at 09:23
  • To add a bit more on that point, a password is usually not hashed in an `int` like `hashCode` do, so the "chance" of duplicate values are thinner than using `String.hashCode`. Using a `MD5`, for example, creates a much more complex hash with a way bigger combination possibilities. – AxelH Dec 18 '17 at 07:03