Decrypt the Password

The reason why passwords are stored in encrypted format is to protect them as better as possible. For example, even if your database has been hacked, the hacker won't able to use passwords because of encryption.
The algorithm which uses encripted password should get non-encripted password and compare it's encrypted form with string in the database.
So, there is no way to decrypt good encrypted password.

As Satas said encryption methods are used so the password could never be cracked - for this to be the case there needs to be no de-cryption method.

Why is you are wanting to retrieve the password?

I am creating change password option .

Oh, so you are going to compare a user given password with the password in the database?

All you do there is use the same encryption method you used with the database password on the newly supplied password.

[php]
# connect to database
# retrieve password

#change for your encryption method
$_Pass = md5($_POST['Pass'];

if($_Pass == $_DatabasePass)
{
# execute some code
}
else
{
# they didnt match
}
[/php]
Hope this helped :)

hi ,

i know the encrypt the password . how to get the encrypt password converted to decrypt.

Put simply, you can't.

You have to momentarily encrypt a new password to compare againast the one in the database.

what encryption method did you use ?

Hi,

At the risk of wading into a debate in full flow here is my 2cents worth.

Encryption is a two way process, it is possible to decrypt. This is often becuase the length of the input determines the length of the outpt. This provides a very good starting point for decrypting something that has been encrypted.

Now before everyone jumps on me and points out how stupid this is, please read on.

When it comes to passwords in a database they need to be secured. Encryption, in the strick definition given above, is therefore not secure. If you know how to decrypt an encrypted value then so does a hacker.

The solution then is to use hashing. The beauty of a good hashing algorithm is that the output length is always the same regardless of the input length. This makes it impossible to de-hash.

So, to the original question/issue. Don't attmept to decrypt anything. Store the password in a hashed form in the database. When a user enters this password as normal text, wether to log in or to change the password, hash the supplied value and check that against the item in the db - as Markusnoob showed you in psuedo code.

If the user forgets their password you do not need to de-hash it and tell them, rather you need to check who they are and then generate a new passowrd and send it to their designated email address.

Cheers
nathj

The whole point of securing and using encrypted passwords is that nobody (in theory) is able to reconstruct the password from the encrypted version! What security would you have in that case?

Normally, in a secure environment, you never reconstruct a password and send that to the user. Instead you make up a new readable password, send that to the user and store it in an encrypted format in the database.

ROnald

So hasing isnt the same as encryption? I always assumed (i do that alot) that 'hashing' was a fancy word for encryption.

Oh, and well put!

I think that hashing is a part of encription:
[PHP]$ready_pass = md5(md5(md5($pa ss).$salt2).$sa lt1);[/PHP]
;)

So md5 returns an encription the same length as the input?

md5() returns a 32 character long string, regardless of the size of the raw string.

Does for me, anyway.

If you want an way to decrypt passwords, then you need to encrypt all passwords with your own defined encryption method, which you reverse the process of in order to determine the original password

However that is highly unadvised and unnecessary.

It is unadvised because then anyone who manages to steal the encryption method can then decrypt any and all passwords.

It is unnecessary because say you have 3 fields to change password
Old password:
new password:
confirm new password:

making sure the new and confirm match can be done via javascript before submitting (and server side just to be sure) as well as making sure that the Old and new DONT match all prior to encryption. Then encrypt the old and new make sure the old matches whats in the database to confirm they can change it, then input the new encrypted password. voila.

NEVER store unencrypted passwords, or send them over non SSL connections unless you really don't care about being hacked..... uhm yah


BTW, there is (albeit incredibly large) database out there that hackers use to lookup passwords based on md5 or other encryption. Thankfully, those that have it, aren't usually very willing to share it, though it only takes 1