How to ReHash a password stored into my Database ? (PHP)

Question

I have some passwords encrypted in my database and I would like to find a way to display them. Here is how they are saved into my mysql database:

function generateHash($plainText, $salt = null){

                if ($salt === null)
  {
   $salt = substr(md5(uniqid(rand(), true)), 0, 25);
  }
  else
  {
   $salt = substr($salt, 0, 25);
  }

  return $salt . sha1($salt . $plainText);
 }

        $secure_pass = generateHash($this->clean_password);

Then $secure_pass is saved into my database.

Anyone would have an idea ??

Thank you very much ;)

You need to understand the difference between encryption and hashing. — SLaks, Jan 16 '11 at 19:51
SO MANY DUPLICATES. [Reversing an MD5 Hash](http://stackoverflow.com/questions/1471654/reversing-an-md5-hash) — user229044, Jul 06 '11 at 13:47

SLaks · Answer 1 · 2011-01-16T19:54:32.857

9

You must never display a password.
You must never display a password.
You must never display a password.

The entire point of hashing a password is to make this impossible.

Since you're using a somewhat insecure hash, it's a little bit less impossible, but you still can't do it.

You should be use SHA512 instead of SHA1 to make this more impossible.

edited Jan 16 '11 at 19:54

answered Jan 16 '11 at 19:48

SLaks

868,454
176
1,908
1,964

It's not the *entire* point. The rest of the point is that one can check whether the password is (almost certainly) correct. – user359996 Jan 16 '11 at 19:50
1

@user: That's point of _storing_ the password, not hashing it. – SLaks Jan 16 '11 at 19:51
But no point in hashing it if you're not going to store it, eh? ;) – user359996 Jan 17 '11 at 04:28
(I'm assuming you meant "that's the point of storing the password *hash* ", as one compares the hash of the password given in response to a challenge to the stored hash of the correct password). – user359996 Jan 17 '11 at 07:10
Don't use SHA512 *or* SHA1 to hash your passwords. Use a [real password hashing library](http://www.openwall.com/phpass/). – user229044 Jul 06 '11 at 13:47

score 3 · Answer 2 · answered Jan 16 '11 at 19:49

3

The point of a cryptographical hash is that it's neigh-impossible to reverse the operation. So basically the answer here is no, you cannot.

answered Jan 16 '11 at 19:49

Shadikka

4,116
2
16
19

score 1 · Answer 3 · answered Jul 06 '11 at 13:37

there are an infinite number of values that will produce any single hash, as such there is no way to reproduce with certainty the original password that was given.

you can however display working passwords by one of the following methods:

save the password in plain text the next time a user logs in
look for the hashes in http://www.sha1-lookup.com/
use CUDA-Multiforcer to crack the passwords. it should take several years per password on your computer using hashclash. to do this in a reasonable amount of time use the instructions provided in http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/

Cavet: Obviously, if security is important to you, you should do none of the above. if you want to allow users who forgot their password I suggest you read about password resetting.

score 0 · Answer 4 · edited Mar 13 '18 at 03:49

You can't reverse a hash function sooo... you left with two options:

1 Force on user to insert new password or...

2 Update the hash as users login to your system again (You can force to kick the cookie and sessions that allow user to login without retyping their password). This solution will allow your users to log in with the old hash and at the same time you will update the old hash to new one. Next time your user will log in, the script will use new version of hash to login the user.

In this example I have used md5 as a hash I want to update to BCRYPT with cost = 12 but feel free to change it to what ever you need. Change from BCRYPT cost=10 to BCRYPT cost = 12 would also work or any other combination. Consider this example:

$passwordFromDatabase = "0d107d09f5bbe40cade3de5c71e9e9b7"; // md5  hash of "letmein"
$passwordFromForm = $_POST['password']; // $_POST['password'] == "letmein"

if(password_needs_rehash($passwordFromDatabase, PASSWORD_BCRYPT, ["cost" => 12]) && md5($passwordFromForm) === $passwordFromDatabase){
    // generate new password
    $newPasswordHash = password_hash($passwordFromForm, PASSWORD_BCRYPT, ["cost" => 12]);
    // update hash from databse - replace old hash $passwordFromDatabase with new hash $newPasswordHash
    // after update login user
    if(password_veryfi($passwordFromForm, $newPasswordHash)){
        // user has loged in successfuly and hash was updated
        // redirect to user area
    }else{
        // ups something went wrong Exception
    }
}else{
    if($password_veryfi($passwordFromForm, $passwordFromDatabase)){
        // user password hash from database is already BCRYPTed no need to rehash
        // user has loged in successfuly
        // redirect to user area
    }else{
        // wrong password
        // no access granted - stay where you are
    }
}

I prefer the second option :). Make your own choice. If you pick the second option and choose not to kick the cookie and session that allow user to login without providing the password, its ok too... The change will happen overtime. And no one will even notice the change.

score 0 · Answer 5 · answered Jan 16 '11 at 19:49

0

You've run them through SHA1 - the original passwords are destroyed and unrecoverable by any practical means. You COULD try to find another string that produces the same SHA1, but that'd be more effort than it's worth.

answered Jan 16 '11 at 19:49

Marc B

356,200
43
426
500

Actually the password is hahed (with a salt) using sha1 rather than md5. The default salt is being hashed with md5 – Mark Baker Jan 16 '11 at 19:51

How to ReHash a password stored into my Database ? (PHP)

5 Answers5