问题
I am working on a project where I had got my password field value's hashCode and stored that hashCode in DB for security purposes.Now I want to recover the password from the hashCode.How can I do it? Is it possible to get the String value back from the hashCode?If it is not, can anyone suggest me a better way to store my password in anyother format?
回答1:
You know that several objects can have same hash(), as it mentioned in java doc for Object.hashCode()
It is not required that if two objects are unequal * according to the {@link java.lang.Object#equals(java.lang.Object)} * method, then calling the {@code hashCode} method on each of the * two objects must produce distinct integer results.
It's obvious you can't restore different objects from same hash code, so it's impossible at all, simple logic.
回答2:
Hashing is an one-way function (it should be at least), so you cannot recover the password from the hash.
However, you can apply the same hashing to any string and compare it to the hash of the password, so you can check if they match.
With good hashing, the chances of having two strings with the same hash are quite low, so you can compare the hash of the password (which you can store) and the hash of another string to determine if they are the same.
Another point is that hashCode
is not a good way to produce such hashes, as we can easily having two objects with same hashCode. You can use implementations such as PBKDF2
, BCrypt
, etc.
回答3:
One technique is to brute-force it. Just run through every possible password. You can get through a surprising number if the the hashing algorithm is not designed to be computationally expensive.
If it's really String.hashCode
then that's not cryptographically secure. Not by a long shot. As ΦXocę 웃 Пepeúpa ツ's answers aludes to, you can probably work backwards to one (of many) possible passwords by hand.
How should you do it? Use a well known cryptographic hash. Preferably one that can be made computationally expensive, such as bcrypt. Also you should salt the password (a random number combined with the password before hashing to prevent the use of compact precomputed lookup tables (rainbow tables) to crack on bulk). Essentially use someone else's library/system.
回答4:
not a good idea, hashCode should never ever be used as identifier to proof equality of objects...
consider this:
System.out.println("Aa".hashCode());
System.out.println("BB".hashCode());
both have the same HashCode 2112 but are holding completely different information
来源:https://stackoverflow.com/questions/44901075/how-can-i-get-the-string-from-hashcode