Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Decode hash sha256 encryption, knowing the salt

I'm making a login system for a web application. To store passwords in the DB, I'm encrypting passwords using sha256 as follows:

$salt ="sometext";
$escapedPW="userpass";
$saltedPW =  $escapedPW . $salt;
$hashedPW = hash('sha256', $saltedPW);
echo "<center>".$hashedPW."</center>";

In the database I am storing the user, the user's password and the salt used to make hash and validate the user's login. Right now I'm doing the functionality to send to the user an email with your password, but when the user receives the email, since is stored in sha256 encrypted password, the user receives a long string and not the password that the user is supposed to know.

My question is there any way that I can send you the actual user password and non the password encryption, ie, there is some way to do the reverse of sha256 if I know the salt?. If not possible, what method of encryption is recommended for you to complete the reverse of the encryption key and send the actual password to the user in an email.

like image 428
franvergara66 Avatar asked Sep 06 '13 22:09

franvergara66


People also ask

Can we decrypt SHA256 with salt?

Since SHA256 is a hash based on non-linear functions, there is no decryption method. dCode uses word databases whose hash has already been calculated (several million potential passwords) and checks if the hash is known. If it is not known or combined with salting the decryption will probably fail.

Can you decrypt salt?

It is impossible to decrypt it. However, you may be able to crack it using the brute force method to find matching passwords in a dictionary.

Can we decode SHA256?

SHA-256 encryption is a hash, which means that it is one-way and can not be decrypted.

Can you Unhash something?

Encryption is a two-way function; what is encrypted can be decrypted with the proper key. Hashing, however, is a one-way function that scrambles plain text to produce a unique message digest. With a properly designed algorithm, there is no way to reverse the hashing process to reveal the original password.


1 Answers

As mentioned in the comments of your question, reversing the hash is not really an option.

What you can do however, and this is what everybody else does as well. In your registration code (ex. register.php) which your form post to you can make the PHP script send the password in an email and then encrypt it and store it in the database.

I suppose you have a registration form of some kind, and that form supposedly posts the new users details to another (or the same) php script, doesn't it?

For example if my form said something like <form method="post" action="register.php">

And in register.php I would then have something like

<?php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']); /*cleartext*/
$email    = mysql_real_escape_string($_POST['email']);

mail($email,"New account","Your username \"$username\" and your password is \"$password\"");

$salt ="sometext";
$escapedPW="userpass";
$saltedPW =  $escapedPW . $salt;
$hashedPW = hash('sha256', $saltedPW);

mysql_query("INSERT INTO users (username, password, email) VALUES ($username, $hashedPW, $email)")

Some rough example code. I hope it helps!

like image 119
Henrik Skogmo Avatar answered Sep 17 '22 13:09

Henrik Skogmo