-2

We have an application we are having an issue we have a method which encrypt the password, but we need another function which decrypt the password. 

public string Encrypt(string originalPassword)
{
    if (originalPassword == null)
        return String.Empty;

    SHA1 sha1 = new SHA1CryptoServiceProvider();
    Byte[] originalBytes = ASCIIEncoding.Default.GetBytes(originalPassword);
    Byte[] encodedBytes = sha1.ComputeHash(originalBytes);

    //Convert encoded bytes back to a 'readable' string
    return BitConverter.ToString(encodedBytes);
}
Farrukh Shahzad
  • 51
  • 3
ZCoder
  • 2,155
  • 5
  • 25
  • 62
  • 8
    Passwords should be salted and hashed, not encrypted – Ňɏssa Pøngjǣrdenlarp Dec 12 '18 at 15:30
  • 1
    Passwords should be hashed. They must not be decrypted. Why you want to decrypt the password? – Chetan Dec 12 '18 at 15:34
  • 1
    Agree with @WelcomeOverflow also you may want to take a look at net core identity password hasher implementation here: [https://github.com/aspnet/AspNetCore/blob/master/src/Identity/src/Core/PasswordHasher.cs](https://github.com/aspnet/AspNetCore/blob/master/src/Identity/src/Core/PasswordHasher.cs) – Abdo Dec 12 '18 at 15:35
  • 3
    SHA is **not** an encryption so it can not be decrypted. It is a hashing algorithm so the only mechanism to obtain the data is brute forcing it. – Cleptus Dec 12 '18 at 15:37
  • 4
    You approach on the `decrypt` is wrong. You should Hash the password when saving it and then Hash the password when the user enters it. If the entered Hash matches the saved Hash, then your'e good. – Jimenemex Dec 12 '18 at 15:37
  • @Jimenemex the problem with hashing passwords without a salt is that the same password will generate the same hash which is easier to crack using `brute force` or `rainbow tables` – Abdo Dec 15 '18 at 15:13
  • Thanks!!!!!!!!!!!!!! :) – ZCoder Dec 21 '18 at 15:17

2 Answers2

6

Your method is not encrypting the password, it's hashing it. You won't be able to recover the original string from the hash - and that's entirely on purpose and by design:

A cryptographic hash function allows one to easily verify that some input data maps to a given hash value, but if the input data is unknown, it is deliberately difficult to reconstruct it (or any equivalent alternatives) by knowing the stored hash value.

Konamiman
  • 49,681
  • 17
  • 108
  • 138
2

Below is a very basic example of how to Hash using PBKDF2 with SHA512:

using System;
using System.Text;
using Security.Cryptography;

...

public string HashPassword(string pswd, string saltValue, long iterations)
{
    byte[] pswdBytes = Encoding.UTF8.GetBytes(pswd);
    byte[] saltByte = Encoding.UTF8.GetBytes(saltValue);
    byte[] hashedPassword = null;
    hashedPassword = BCryptPBKDF2.ComputeHash(PBKDF2HashAlgorithm.SHA512, pswdBytes, saltByte, iterations);
    return Convert.ToBase64String(hashedPassword);
}

You can use it like this:

public void SaveNewUser(string username, string password)
{
    string salt = GetSalt();
    string hashedPassword = HashPassword(password, salt, 10000);

    // Go save the username, hashed password and salt in the DB
    SaveUserInDatabase(username, hashedPassword, salt);
}

public bool AuthenticateLogin(string username, string password)
{
     // Get the salt saved from the DB for the user somehow
     string salt = GetSaltFromDB(string username);
     string hashedPassword = HashPassword(password, salt, 10000);

     // Get the saved Password from database somehow
     string savedPassword = GetSavedPasswordFromDB(string username);

     if(hashedPassword.Equals(savedPassword))
     {
          return true;
     }

     return false;
}

When a new user is created, or how ever you initially save the password, SaveNewUser is called to Salt, Hash and then save the password and the salt used.

Then when a user logs in, the entered password is again Salted (using the salt saved) and Hashed in AuthenticateUser, but this time compared to the saved password. (Of course you need a way to get the same user from the database, but the concept remains the same.)

If the hashes match then the password match the user has entered in the correct password.

Read up on how to create a Salt value here.

Jimenemex
  • 3,104
  • 3
  • 24
  • 56