How can I decrypt a password hash in PHP?
Solution 1
Bcrypt is a one-way hashing algorithm, you can't decrypt hashes. Use password_verify to check whether a password matches the stored hash:
<?php
// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
if (password_verify('rasmuslerdorf', $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
In your case, run the SQL query using only the username:
$sql_script = 'SELECT * FROM USERS WHERE username=?';
And do the password validation in PHP using a code that is similar to the example above.
The way you are constructing the query is very dangerous. If you don't parameterize the input properly, the code will be vulnerable to SQL injection attacks. See this Stack Overflow answer on how to prevent SQL injection.
Solution 2
The passwords cannot be decrypted as will makes a vulnerability for users. So, you can simply use password_verify()
method to compare the passwords.
if(password_verify($upass, $userRow['user_pass'])){
//code for redirecting to login screen }
where, $upass
is password entered by user and $userRow['user_pass']
is user_pass field in database which is encrypted by password_hash()
function.
Solution 3
Use the password_verify() function
if (password_vertify($inputpassword, $row['password'])) {
print "Logged in";
else {
print "Password Incorrect";
}
Solution 4
I need to decrypt a password. The password is crypted with password_hash function.
$password = 'examplepassword'; $crypted = password_hash($password, PASSWORD_DEFAULT);
Its not clear to me if you need password_verify
, or you are trying to gain unauthorized access to the application or database. Other have talked about password_verify
, so here's how you could gain unauthorized access. Its what bad guys often do when they try to gain access to a system.
First, create a list of plain text passwords. A plain text list can be found in a number of places due to the massive data breaches from companies like Adobe. Sort the list and then take the top 10,000 or 100,000 or so.
Second, create a list of digested passwords. Simply encrypt or hash the password. Based on your code above, it does not look like a salt is being used (or its a fixed salt). This makes the attack very easy.
Third, for each digested password in the list, perform a select in an attempt to find a user who is using the password:
$sql_script = 'select * from USERS where password="'.$digested_password.'"'
Fourth, profit.
So, rather than picking a user and trying to reverse their password, the bad guy picks a common password and tries to find a user who is using it. Odds are on the bad guy's side...
Because the bad guy does these things, it would behove you to not let users choose common passwords. In this case, take a look at ProCheck, EnFilter or Hyppocrates (et al). They are filtering libraries that reject bad passwords. ProCheck achieves very high compression, and can digest multi-million word password lists into a 30KB data file.
Related videos on Youtube
dariodp
Updated on July 09, 2022Comments
-
dariodp almost 2 years
I need to decrypt a password. The password is encrypted with
password_hash
function.$password = 'examplepassword'; $crypted = password_hash($password, PASSWORD_DEFAULT);
Now, let's assume that
$crypted
is stored in a database (there's a "users" table, with usernames, passwords, etc) and I need to do a login: I have to see if the password entered by the user matches the encrypted password stored in the database.This is the sql code...
$sql_script = 'select * from USERS where username="'.$username.'" and password="'.$inputpassword.'"';
...but
$inputpassword
is not encrypted, so it's not equal to what is stored in the password field of the table users...So, there's a function to decrypt after the use of
password_hash
? Or should I change my encrypt method? Or what else?-
Funk Forty Niner almost 10 years
password_verify()
« -
Admin almost 10 yearsYou can't decrypt it. A hash is a one-way function. Hash the password the user has given you and see the the hashes match.
-
赵君君 almost 10 yearsYou don't decrypt a hash. You hash the inputted password and compare the two hashes together. You don't care what the original password is, you just care that the hashes are the same.
-
barell almost 10 yearsProbably you can but it may takes a lot of time.
-
akuzminsky almost 10 yearsyou still can not. multiple inputs match the same hash
-
user2864740 almost 10 yearsThis notion ("encyptyion") is not how hashing works. Use and existing solution (full code) and please do not invent your own. How to properly hash (in PHP and elsewhere) has been discussed to death - there are numerous details to consider.
-
Su4p almost 10 years"one-way hashing algorithm" docs.php.net/manual/en/function.password-hash.php
-
Marc B almost 10 yearshashes are meat grinders. cow -> meat. You cannot go meat->cow.
-
Perseids almost 10 yearsObligatory Security.SE Link: security.stackexchange.com/questions/211/…
-
Funk Forty Niner almost 10 yearsObligatory? lol Wait a minute, I never signed a contract, did I?
-
Perseids almost 10 years@Fred-ii-: In the sense of "essential" for every password hashing question. :D
-
-
Gergo Erdosi almost 10 years@user2864740 Added a note to my answer. I can't suggest a better query because I don't know if OP uses mysqli, PDO or some kind of ORM.
-
user2864740 almost 10 yearsThanks for adding the note (and the link is good) - I always recommend placeholders, but that's for a different question :|
-
Perseids almost 10 yearsStill, given how much code is just copy-pasted without much consideration that warning is far to tiny.
-
tadman almost 10 yearsWhere you assume you get into serious trouble. That should be
username=?
for the sake of sanity. -
Leo Wilson over 7 yearsI don't think the OP was trying to hack anything, and besides, you have to have admin powers on the server you're trying to brute force.
-
jww over 7 years@LeoWilson - He wants to recover the password. Being an admin is not enough to do it since the password is hashed.
-
zaph over 6 years1. That is not decryption, it is a brute force attack. 2. Try it, time it on 100,000
password_hash
'ed passwords. 3. This method is well known and the point ofpassword_hash
is to consume substantial CPU tine in order to make a brute force attack very time consuming. It is the best we can do. -
Cholis over 6 yearsyupp, nont decryptor. but it is not bruce force attack if they do in their own pc/server... it's depend on big collection (database, wordlist) of password, like they do with so much MD5 database.
-
zaph over 6 years1. It is still a brute force attack, that is a method, it makes no difference who or where it is done. 2. it is not like an MD5 rainbow table attack because there is a random seed involved in
password_hash
so thepassword_verification
calculation must be made for each password tried. 3. The cost should be chosen such thatpassword_verification
takes about 100ms, substantially slower than MD5 of a password that can usually be calculated in less than 0.01ms sopassword_verification
is about 100,000 times slower than MD5 in the same class CPU thatpassword_hash
was calculated on.