close ad
WARNING PC USERS: Do Not Install the DREAMWEAVER CC 2017 Update »
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Why Encrypt passwords - Decrypted ?

Thread began 8/02/2011 11:38 am by un33k9309513 | Last modified 8/04/2011 11:06 am by un33k9309513 | 2897 views | 8 replies |

un33k9309513

Why Encrypt passwords - Decrypted ?

Hi,

I was surprised today by finding out that after encrypting the password with SHA1 using Security Assist, someone can simply copy and paste that encrypted password (if they got into my database full of passwords for users), into a website that will decrypt, and instantly show the password.

So my question is why Encrypt when it can be easily decrypted? I am asking this on a serious note, because I need a way to secure the passwords if you have suggestions please.

thanks,
ed

Sign in to reply to this post

Jason ByrnesWebAssist

that's a very broad subject.

technically, SHA1 encryption is a one way encryption method, meaning that it is not decrypt able.
SHA-1

but in the world of security there are always people who will try to break into anything.

the use of encryption is not really to protect the data if someone breaks into your MySQL server and steals the data , you have bigger problems if that happens, it is to protect the data from being sniffed while being passed from the client browser to your server when the login page is posted, especially if your are not using an SSL layer.

SHA1 is only one encryption method offer by security assist, others such as crypt are a little more secure, they require a salt string to be used when encrypting or decrypting the data, if they salt string is not known, the data will not be able to be decrypted.

Sign in to reply to this post

un33k9309513

Thanks for the feedback. Is there anything I have to do with my db in navicat to make that field for passwords accept SHA1? right now it's set for varchar 40.

I am changing all my pages to use SHA1, but the first one the user_Update.php gave me some trouble. Meaning that the hash is easily decrypted where as the hash that was created on my other site was not an I remember support had me change a setting in navicat mysql. Just wondering why its different now, do I have my db or other settings correct?

Thanks
Ed

Sign in to reply to this post

Jason ByrnesWebAssist

using varchar(40) for the password field should be fine.


I dont understand what you mean by:

  Meaning that the hash is easily decrypted  




SHA1 encryption is a one way encryption format, that is not a method of easily decrypting an SHA1 hash, how are you decrypting it?

Sign in to reply to this post

un33k9309513

Hi,

This is the encrypted hash in my db using SHA1 with SA.

a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

when I searched on google I found this website, which if you paste the above in there it tells you clearly what it decodes to. (test)

sha1-decrypt.aspx

Any thoughts please, am I setting this up correctly?

Thanks,
Ed

Sign in to reply to this post

Jason ByrnesWebAssist

this tool would be able to decrypt the sha1 hash strings from your other table as well.

any type of security is going to have people trying to defeat it, same goes for encryption methods.

like i said in my initial response, SHA1 is only one encryption method offered.

the crypt encryption method uses a salt string which would need to be known in order to decrypt the hash.

Sign in to reply to this post

un33k9309513

Hi

How can I use crypt with Security Assist, or if it involves hand coding, can you tell me where to start?
When I pasted the hash from my other table it wasn't able to decrypt it, I don't know maybe because I have numbers in that password too.

Thanks
Ed

Sign in to reply to this post

Jason ByrnesWebAssist

crypt is included in in Security assist 2.

Sign in to reply to this post

un33k9309513

Thank you for your advice, I will look into it.

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...