Decrypting rfc2898 password

China☆狼群 提交于 2020-01-06 07:14:50

问题


I'm in the middle of development and I need to test my login/password api.

Problem is in the database the password is encrypted.

I have the following information.

  • key
  • iteration
  • salt

Is this enough to recover the password?

By the way I can edit these values as well if that will help.


回答1:


I think you misunderstood, how a password API works. You cannot reverse a properly hashed password, but you can validate an entered password against the stored hash.

To validate the entered password, you need to calculate the hash again, with the same parameters you used to create the first hash. Then you can compare the two hashes, if they match, the password was the same.




回答2:


You cannot reverse PBKDF2, but you could brute-force the common passwords to see if any of them matches. If a random salt is used every time, then you will need to do that for each password independently. If a large iteration count is used then prepare for it to take very long.




回答3:


First, you should just reset it.

Second, you can recover it if and only if the password was weak (assuming correctly implemented PBKDF2), and you either know which HMAC it used (probably was PBKDF2-HMAC-SHA-1 - test with a known password), or you're willing to spend time trying several and hoping.

Try a tool like oclHashcat that's designed for password cracking - note PBKDF2 generic at the end of the list of examples for this, preferably with one or more good GPUs.

Alternately, if you're just testing your password API, you can run the test vectors at my Github repository through it and see if your results are correct or not.



来源:https://stackoverflow.com/questions/33796138/decrypting-rfc2898-password

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!