encryption

**dafodil** · Jul 25 '07, 11:38 AM

Originally posted by badrian

I am using the SHA1 algorithm to encrypt user passwords. Fair enough. Many user sign in forms also have a provision to
send you your password should you forget it. Is this possible
with sha1. Once encrypted, I don't see any we to retrieve it.
Brian

I don't have idea about this SHA1, since I don't use it but hope this link helps you

SHA-1 - Wikipedia

http://en.wikipedia.org/wiki/SHA-1#SHA-1_algorithm

This will test your reverse engineering skills.

good luck.

**kovik** · Jul 26 '07, 01:54 AM

Hashing and encryption are different. Encryption means you can decrypt the data, but hashed data is irretrievable. The way you allow users to deal with forgotten passwords is to have a security question (or some other form of verification that they wouldn't forget), and then an email that gives them a randomly generated code that you have stored to confirm that it is the same person, then allow them to create a new password.

Security is a broad topic, and you should think about everything that could go wrong during the "forgot your password" process. You want to avoid other people from stealing a password, so take the necessary measures.

**dafodil** · Jul 26 '07, 03:07 AM

You mean to say you can't decrypt SHA-1 since it is hashing?

How come in this site they said that SHA-1 is an encryption algorithm?
If you look closely at the first paragraph it is written that SHA-1 is a Hash encryption algorithm?

Sha-256 | Sha 256 Algorithm | Sha Algorithm

http://www.vocal.com/SHA1.html

Our wide range of hardware and software cryptographic solutions include SHA-1 and SHA-2 (SHA-256) Hash encryption algorithms used to generate a message digest.

I just want to clear things up.
SHA-1 algorithm is included in the Cryptographic hash function.
It means to say you that they are Data encryption functions.

Check this site for reference:

Cryptographic hash function - Wikipedia

http://en.wikipedia.org/wiki/Cryptographic_hash_functions

read the Applications of hash functions part over there.
There is a part there referring to password encryption.

First of all if Iam going to invent a formula to encrypt files, Why would I not want to decrypt it.
Right?

**dafodil** · Jul 26 '07, 03:30 AM

There is already some security issues about SHA-1.

In various standards and applications, the two most-commonly used hash functions are MD5 and SHA-1. In 2005, security flaws were identified in both algorithms.

Reference:

Cryptographic hash function - Wikipedia

http://en.wikipedia.org/wiki/Cryptographic_hash_functions

There are other cryptographic hash functions. Check the table for the list.

**kovik** · Jul 26 '07, 04:02 AM

So are you saying that SHA1 is encryption, and not hashing? Because all other SHA algorithms are hashing.

**dafodil** · Jul 26 '07, 04:04 AM

Originally posted by volectricity

So are you saying that SHA1 is encryption, and not hashing? Because all other SHA algorithms are hashing.

Its already written there its hashing. I just don't understand why you said that hashed data is irretrievable. When you can actually decrypt it.

**nathj** · Jul 26 '07, 08:05 AM

Originally posted by badrian

I am using the SHA1 algorithm to encrypt user passwords. Fair enough. Many user sign in forms also have a provision to
send you your password should you forget it. Is this possible
with sha1. Once encrypted, I don't see any we to retrieve it.
Brian

I am having to develop a similar system. What I intend to do if a user forgets the password is generate a new random one.

However, they will have to identify themselves first by supplying:
1) Their username
2) Their main email address - the new password will be sent to this address
3) The contents of a captcha image.

The first two will be validated against the database and if there is no match the password is not reset.

For the purposes of my system this is fine, it may also be worth adding the security questions like mothers maiden name, name of junior school etc to this process.

I have deliberatly not developed a mechanism to decrypt the passwords as I don't want to to be able to know all the passwords. So if a user forgets their password then they get a new one which when used they can reset or keep.

This is my solution to the problem, without too much discussion on hashing and encryption.

Cheers
nathj

**dafodil** · Jul 26 '07, 08:15 AM

Originally posted by nathj

I am having to develop a similar system. What I intend to do if a user forgets the password is generate a new random one.

However, they will have to identify themselves first by supplying:
1) Their username
2) Their main email address - the new password will be sent to this address
3) The contents of a captcha image.

The first two will be validated against the database and if there is no match the password is not reset.

For the purposes of my system this is fine, it may also be worth adding the security questions like mothers maiden name, name of junior school etc to this process.

I have deliberatly not developed a mechanism to decrypt the passwords as I don't want to to be able to know all the passwords. So if a user forgets their password then they get a new one which when used they can reset or keep.

This is my solution to the problem, without too much discussion on hashing and encryption.

Cheers
nathj

That's an alternative not actually a solution to the problem his asking.

**nathj** · Jul 26 '07, 08:18 AM

Originally posted by dafodil

That's an alternative not actually a solution to the problem his asking.

That's correct - but an alternative can indeed be a solution. The process of decrypting passwords is not one I would ever reccommend.

nathj

**kovik** · Jul 26 '07, 04:27 PM

Originally posted by dafodil

Its already written there its hashing. I just don't understand why you said that hashed data is irretrievable. When you can actually decrypt it.

That is where you are incorrect. Encryption is a function performed with a key that turns cleartext into unintelligible data, which can be reverted back using the key. Hashing is a one-time function that turns any data into a fixed length string.

If you don't understand what I'm saying, hash (using SHA-0 or higher, or MD5) any small string, then hash an entire paragraph. They both will produce the same amount of characters. What makes you think that they can possibly be decrypted to get their original contents?

encryption

encryption

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment