Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Password recovery with sha1 password hashing

I'd like to implement a forgot password function for my website. I hash the passwords using sha1. How would I recover this for the user?

What's the best method for implementing this?

like image 341
BigMike Avatar asked Oct 26 '10 17:10

BigMike


3 Answers

Short answer, you can't.

You want to implement a password reset function, not a password retrieval function. The whole point of hashing passwords is that you don't get to store the user's password, and you can't recover it if it is lost.

This should give you a rough idea of how to allow users to reset forgotten passwords:

like image 167
meagar Avatar answered Sep 28 '22 10:09

meagar


The best method is to not attempt to recover the original password. If a user loses their password then generate a new, random one and use an out-of-band method for sending it to them (e.g. email). Remember that the whole point of hashing the password is to prevent recovery.

I know, I know, email is insecure. But if you require users to immediately change the generated password then the risk is mitigated.

By the way, I cannot recommend enough that you also salt the password and iterate the hash to prevent brute-force attacks in the event that an attacker obtains the hashed value.

like image 29
Cameron Skinner Avatar answered Sep 28 '22 08:09

Cameron Skinner


NO

There is no known effective way of reverting a sha1 hash to it's original text (since it's a one way function by design). If you would like to be able to show users their password at a later time, you will have to store it in a method that would be reversible (IE encryption, plaintext). This still is probably a bad idea, try to find a better way of doing it.

like image 34
Kendall Hopkins Avatar answered Sep 28 '22 10:09

Kendall Hopkins