Why Encrypt passwords - Decrypted ?

Hi,

I was surprised today by finding out that after encrypting the password with SHA1 using Security Assist, someone can simply copy and paste that encrypted password (if they got into my database full of passwords for users), into a website that will decrypt, and instantly show the password.

So my question is why Encrypt when it can be easily decrypted? I am asking this on a serious note, because I need a way to secure the passwords if you have suggestions please.

thanks,
ed

that's a very broad subject.

technically, SHA1 encryption is a one way encryption method, meaning that it is not decrypt able.
SHA-1

but in the world of security there are always people who will try to break into anything.

the use of encryption is not really to protect the data if someone breaks into your MySQL server and steals the data , you have bigger problems if that happens, it is to protect the data from being sniffed while being passed from the client browser to your server when the login page is posted, especially if your are not using an SSL layer.

SHA1 is only one encryption method offer by security assist, others such as crypt are a little more secure, they require a salt string to be used when encrypting or decrypting the data, if they salt string is not known, the data will not be able to be decrypted.

Thanks for the feedback. Is there anything I have to do with my db in navicat to make that field for passwords accept SHA1? right now it's set for varchar 40.

I am changing all my pages to use SHA1, but the first one the user_Update.php gave me some trouble. Meaning that the hash is easily decrypted where as the hash that was created on my other site was not an I remember support had me change a setting in navicat mysql. Just wondering why its different now, do I have my db or other settings correct?

Thanks
Ed

using varchar(40) for the password field should be fine.


I dont understand what you mean by:

  Meaning that the hash is easily decrypted  

SHA1 encryption is a one way encryption format, that is not a method of easily decrypting an SHA1 hash, how are you decrypting it?

Hi,

This is the encrypted hash in my db using SHA1 with SA.

a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

when I searched on google I found this website, which if you paste the above in there it tells you clearly what it decodes to. (test)

sha1-decrypt.aspx

Any thoughts please, am I setting this up correctly?

Thanks,
Ed

this tool would be able to decrypt the sha1 hash strings from your other table as well.

any type of security is going to have people trying to defeat it, same goes for encryption methods.

like i said in my initial response, SHA1 is only one encryption method offered.

the crypt encryption method uses a salt string which would need to be known in order to decrypt the hash.

Hi

How can I use crypt with Security Assist, or if it involves hand coding, can you tell me where to start?
When I pasted the hash from my other table it wasn't able to decrypt it, I don't know maybe because I have numbers in that password too.

Thanks
Ed

crypt is included in in Security assist 2.

Thank you for your advice, I will look into it.