发表新帖
发表新帖

Retrieving password when the password stored as a hash value

前端 未结
关注
8 913
遥遥无期
遥遥无期 2021-01-05 14:15

Can users request that their password be emailed to themselves if the password is stored as a hash value?

Is there any way to convert a hash value to the clear text

相关标签:
8条回答
  • 天涯浪人
    2021-01-05 14:30

    There is no way to reverse the commonly used hashes. They can be bruteforced (trying every single possible password) or you can use a wordlist (using a list of commonly used passwords) in combination to brute force to speed it up some, but it is still a very slow and CPU intensive process.

    The best way, which many sites use, it to create a "Password Reset" button where you enter your username and email, and if they match, it sends you a random password and gives you a link to the login page and you can login with your random password and change your password.

    0 讨论(0)
  • 爱一瞬间的悲伤
    2021-01-05 14:31

    Hashed passwords cannot be retrieved in general (this depends on the hashing function, secure hashes cannot be retrieved). If they have the same hash on two sites, they could have the same password, this depends on the hash salt used by the sites, what method etc.

    If your password is securely stored in a good hashing system, a provider should never be able to email you your password, you must reset your password if you forget it.

    0 讨论(0)
  • 执念已碎
    2021-01-05 14:33

    In short, no. With most hashing algorithms, you can have multiple inputs with the same output. It is often better to offer a password reset option.

    0 讨论(0)
  • 無奈伤痛
    2021-01-05 14:37

    To do this you must have a model with the fields:

    Hashed_password
Salt

    And you need to know the method user to hash the password( Here I use SHA1) Then you can define in your controller:

    def self.encrypted_password(password, salt)
   string_to_hash = password + "wibble" + salt
   Digest::SHA1.hexdigest(string_to_hash)
end

    Next you can compare:

    user.Hashed_password == encrypted_password(password, user.salt)

    True means that "password" is the password for the user "user"

    0 讨论(0)
  • 灰色年华
    2021-01-05 14:39

    If you're only storing a hash of the password, then no. ...and you should only be storing a properly-salted hash of their password, anyway.

    Password reset mechanisms are the proper alternative.

    0 讨论(0)
  • 感动是毒
    2021-01-05 14:40

    There are different types of hashing algorithms. Some are more secure than others. MD5 is a popular, but insecure one. The SHA-family is another more secure set of algorithms.

    By definition, a hash is a one way function. It can not be reversed.

    http://en.wikipedia.org/wiki/Sha-1

    0 讨论(0)
 看不清?
提交回复
热议问题