By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,442 Members | 1,316 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,442 IT Pros & Developers. It's quick & easy.

encryption

P: 1
I am using the SHA1 algorithm to encrypt user passwords. Fair enough. Many user sign in forms also have a provision to
send you your password should you forget it. Is this possible
with sha1. Once encrypted, I don't see any we to retrieve it.
Brian
Jul 25 '07 #1
Share this Question
Share on Google+
10 Replies


dafodil
100+
P: 392
I am using the SHA1 algorithm to encrypt user passwords. Fair enough. Many user sign in forms also have a provision to
send you your password should you forget it. Is this possible
with sha1. Once encrypted, I don't see any we to retrieve it.
Brian

I don't have idea about this SHA1, since I don't use it but hope this link helps you

http://en.wikipedia.org/wiki/SHA-1#SHA-1_algorithm

This will test your reverse engineering skills.

good luck.
Jul 25 '07 #2

kovik
Expert 100+
P: 1,044
Hashing and encryption are different. Encryption means you can decrypt the data, but hashed data is irretrievable. The way you allow users to deal with forgotten passwords is to have a security question (or some other form of verification that they wouldn't forget), and then an email that gives them a randomly generated code that you have stored to confirm that it is the same person, then allow them to create a new password.

Security is a broad topic, and you should think about everything that could go wrong during the "forgot your password" process. You want to avoid other people from stealing a password, so take the necessary measures.
Jul 26 '07 #3

dafodil
100+
P: 392
You mean to say you can't decrypt SHA-1 since it is hashing?

How come in this site they said that SHA-1 is an encryption algorithm?
If you look closely at the first paragraph it is written that SHA-1 is a Hash encryption algorithm?
http://www.vocal.com/SHA1.html


I just want to clear things up.
SHA-1 algorithm is included in the Cryptographic hash function.
It means to say you that they are Data encryption functions.

Check this site for reference:
http://en.wikipedia.org/wiki/Cryptog...hash_functions

read the Applications of hash functions part over there.
There is a part there referring to password encryption.

First of all if Iam going to invent a formula to encrypt files, Why would I not want to decrypt it.
Right?
Jul 26 '07 #4

dafodil
100+
P: 392
There is already some security issues about SHA-1.

In various standards and applications, the two most-commonly used hash functions are MD5 and SHA-1. In 2005, security flaws were identified in both algorithms.

Reference:

http://en.wikipedia.org/wiki/Cryptog...hash_functions

There are other cryptographic hash functions. Check the table for the list.
Jul 26 '07 #5

kovik
Expert 100+
P: 1,044
So are you saying that SHA1 is encryption, and not hashing? Because all other SHA algorithms are hashing.
Jul 26 '07 #6

dafodil
100+
P: 392
So are you saying that SHA1 is encryption, and not hashing? Because all other SHA algorithms are hashing.
Its already written there its hashing. I just don't understand why you said that hashed data is irretrievable. When you can actually decrypt it.
Jul 26 '07 #7

nathj
Expert 100+
P: 938
I am using the SHA1 algorithm to encrypt user passwords. Fair enough. Many user sign in forms also have a provision to
send you your password should you forget it. Is this possible
with sha1. Once encrypted, I don't see any we to retrieve it.
Brian
I am having to develop a similar system. What I intend to do if a user forgets the password is generate a new random one.

However, they will have to identify themselves first by supplying:
1) Their username
2) Their main email address - the new password will be sent to this address
3) The contents of a captcha image.

The first two will be validated against the database and if there is no match the password is not reset.

For the purposes of my system this is fine, it may also be worth adding the security questions like mothers maiden name, name of junior school etc to this process.

I have deliberatly not developed a mechanism to decrypt the passwords as I don't want to to be able to know all the passwords. So if a user forgets their password then they get a new one which when used they can reset or keep.

This is my solution to the problem, without too much discussion on hashing and encryption.

Cheers
nathj
Jul 26 '07 #8

dafodil
100+
P: 392
I am having to develop a similar system. What I intend to do if a user forgets the password is generate a new random one.

However, they will have to identify themselves first by supplying:
1) Their username
2) Their main email address - the new password will be sent to this address
3) The contents of a captcha image.

The first two will be validated against the database and if there is no match the password is not reset.

For the purposes of my system this is fine, it may also be worth adding the security questions like mothers maiden name, name of junior school etc to this process.

I have deliberatly not developed a mechanism to decrypt the passwords as I don't want to to be able to know all the passwords. So if a user forgets their password then they get a new one which when used they can reset or keep.

This is my solution to the problem, without too much discussion on hashing and encryption.

Cheers
nathj
That's an alternative not actually a solution to the problem his asking.
Jul 26 '07 #9

nathj
Expert 100+
P: 938
That's an alternative not actually a solution to the problem his asking.
That's correct - but an alternative can indeed be a solution. The process of decrypting passwords is not one I would ever reccommend.

nathj
Jul 26 '07 #10

kovik
Expert 100+
P: 1,044
Its already written there its hashing. I just don't understand why you said that hashed data is irretrievable. When you can actually decrypt it.
That is where you are incorrect. Encryption is a function performed with a key that turns cleartext into unintelligible data, which can be reverted back using the key. Hashing is a one-time function that turns any data into a fixed length string.

If you don't understand what I'm saying, hash (using SHA-0 or higher, or MD5) any small string, then hash an entire paragraph. They both will produce the same amount of characters. What makes you think that they can possibly be decrypted to get their original contents?
Jul 26 '07 #11

Post your reply

Sign in to post your reply or Sign up for a free account.