Recover a salted and hashed password in python

Question

I have managed to salt and hash password using this method:

import hashlib, uuid
salt = uuid.uuid4().hex
hashed_password = hashlib.sha512(password + salt).hexdigest()

How do I reverse this process to recover the actual password?

Update: You are supposed to take a password from the user, apply the same salt and hash method to their password, and then compare it with the originally salted/hashed password to see if they match. That makes perfect sense.

Answer 1

You don't. Hashing is a technique which is only one way. This is the whole point of hashing.

You never store raw passwords in order to protect your user if you got a leak of information in your DB.

If you want to implement some "password recover" procedure, you need to do as everyone do, send a email to the person with a temporary link to reset password on send a new one randomly generated.

Answer 2

Hashing is one way as in you can only encrypt (for example) a string and then compare the user provided hash with the one your app generates.

However, there is simple-crypt and it may be what you're looking for if you want "2 way" hashing.

Answer 3

Good question.

First off: never send users their passwords in plaintext!!

It's considered a bad security practice for a few reasons.

• If anyone gets access to a user's email account (gmail, etc), then they have the password and can hijack the user account.

• Second, hashing is a one-way form of encryption where you turn the password into gibberish. The big value in hashing is that the same password will always be turned into the same gibberish: every time. This means you can do password matching without ever storing the raw password. The reason you're supposed to hash a password and not do 2-way encryption like AES-256, is that 2-way encryption requires the creation, management, and securing of encryption keys which can be hard. Hashing is just easier and more secure for the vast majority of developers.

Instead of implementing password reset stuff by sending a user their password, you should instead send a user a link to a secure page where they can reset their password with a one-time token that expires after a certain amount of time.

This way, even if an attacker gets a hold of someone's email account (gmail, etc.) -- there's only a limited amount of time they can do damage.

There are a variety of ways to do this stuff yourself, but an easy approach to getting a one-time use token you don't have to store or manage is to offload user management to a microservice like Stormpath where it takes care of all the user management for you: password reset, password storage, user profiles, authentication, encryption, hashing, etc.

If you wanted to implement something like this in a Flask web app, for instance, you'd use the Flask-Stormpath library like so:

from flask import Flask
from flask.ext.stormpath import StormpathManager

app = Flask(__name__)
app.config['STORMPATH_ENABLE_FORGOT_PASSWORD'] = True

stormpath_manager = StormpathManager(app)

app.listen(3000)

NOTE : I work at Stormpath, but these rules apply regardless of what you're using and help make any application more secure.