How to ReHash a password stored into my Database ? (PHP)

Question

I have some passwords encrypted in my database and I would like to find a way to display them. Here is how they are saved into my mysql database:

function generateHash($plainText, $salt = null){

                if ($salt === null)
  {
   $salt = substr(md5(uniqid(rand(), true)), 0, 25);
  }
  else
  {
   $salt = substr($salt, 0, 25);
  }

  return $salt . sha1($salt . $plainText);
 }

        $secure_pass = generateHash($this->clean_password);

Then $secure_pass is saved into my database.

Anyone would have an idea ??

Thank you very much ;)

Answer 1

You must never display a password.
You must never display a password.
You must never display a password.

The entire point of hashing a password is to make this impossible.

Since you're using a somewhat insecure hash, it's a little bit less impossible, but you still can't do it.

You should be use SHA512 instead of SHA1 to make this more impossible.

Answer 2

The point of a cryptographical hash is that it's neigh-impossible to reverse the operation. So basically the answer here is no, you cannot.

Answer 3

there are an infinite number of values that will produce any single hash, as such there is no way to reproduce with certainty the original password that was given.

you can however display working passwords by one of the following methods:

• save the password in plain text the next time a user logs in
• look for the hashes in http://www.sha1-lookup.com/
• use CUDA-Multiforcer to crack the passwords. it should take several years per password on your computer using hashclash. to do this in a reasonable amount of time use the instructions provided in http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/

Cavet: Obviously, if security is important to you, you should do none of the above. if you want to allow users who forgot their password I suggest you read about password resetting.

Answer 4

You can't reverse a hash function sooo... you left with two options:

1 Force on user to insert new password or...

2 Update the hash as users login to your system again (You can force to kick the cookie and sessions that allow user to login without retyping their password). This solution will allow your users to log in with the old hash and at the same time you will update the old hash to new one. Next time your user will log in, the script will use new version of hash to login the user.

In this example I have used md5 as a hash I want to update to BCRYPT with cost = 12 but feel free to change it to what ever you need. Change from BCRYPT cost=10 to BCRYPT cost = 12 would also work or any other combination. Consider this example:

$passwordFromDatabase = "0d107d09f5bbe40cade3de5c71e9e9b7"; // md5  hash of "letmein"
$passwordFromForm = $_POST['password']; // $_POST['password'] == "letmein"

if(password_needs_rehash($passwordFromDatabase, PASSWORD_BCRYPT, ["cost" => 12]) && md5($passwordFromForm) === $passwordFromDatabase){
    // generate new password
    $newPasswordHash = password_hash($passwordFromForm, PASSWORD_BCRYPT, ["cost" => 12]);
    // update hash from databse - replace old hash $passwordFromDatabase with new hash $newPasswordHash
    // after update login user
    if(password_veryfi($passwordFromForm, $newPasswordHash)){
        // user has loged in successfuly and hash was updated
        // redirect to user area
    }else{
        // ups something went wrong Exception
    }
}else{
    if($password_veryfi($passwordFromForm, $passwordFromDatabase)){
        // user password hash from database is already BCRYPTed no need to rehash
        // user has loged in successfuly
        // redirect to user area
    }else{
        // wrong password
        // no access granted - stay where you are
    }
}

I prefer the second option :). Make your own choice. If you pick the second option and choose not to kick the cookie and session that allow user to login without providing the password, its ok too... The change will happen overtime. And no one will even notice the change.

Answer 5

You've run them through SHA1 - the original passwords are destroyed and unrecoverable by any practical means. You COULD try to find another string that produces the same SHA1, but that'd be more effort than it's worth.