3  

Two interesting articles on the topic: You're Probably Storing Passwords Incorrectly and Rainbow Hash Cracking...

关于这个主题的两篇有趣的文章:你可能错误地存储密码和彩虹哈希破解......

So it depends on what you plan to do (a password storage safe or storing password for users on a site, etc.). For the former usage, you can take a look at how KeePass works (it is open source).

因此,这取决于您打算做什么(密码存储安全或为网站上的用户存储密码等)。对于以前的用法,您可以了解KeePass的工作原理(它是开源的)。

14  

This is not possible. SHA1 is, very carefully and deliberately, a one-way function.

这是不可能的。 SHA1是一种非常谨慎和刻意的单向函数。

Why are you trying to recover the original password? It is not needed for authentication, because you simply hash the input password and compare the hash values.

你为什么要恢复原来的密码?身份验证不需要它,因为您只需对输入密码进行哈希并比较哈希值。

If it is because the user forgot their password, then standard practice appears to be generating a randomized reset link and emailing it to the user.

如果是因为用户忘记了密码,则标准练习似乎生成随机重置链接并通过电子邮件发送给用户。

3  

You can't do that, that's the point of hash function. In fact, several password can give you the same hash, so even if you find a string that give you this hash it may not be the correct one.
If you need to find the password back, don't use hash use something like RSA.

你不能这样做,这是哈希函数的重点。事实上,几个密码可以为您提供相同的哈希值,因此即使您找到一个给您这个哈希值的字符串,它也可能不正确。如果您需要找回密码,请不要使用类似RSA的哈希值。

Some links for you to read:

一些链接供您阅读:

• http://en.wikipedia.org/wiki/Cryptographic_hash_function
• http://en.wikipedia.org/wiki/RSA

3  

You can't. The point of a hash function (as opposed to encryption) is that it's a one-way process. In other words, there can be multiple passwords which hash to the same value, and there's no way of going from the hash to the original password.

你不能。散列函数(与加密相反)的意义在于它是一个单向过程。换句话说,可能有多个密码散列到相同的值,并且无法从散列转到原始密码。

This is useful as you don't need any sort of "master password" or other secret which is required for two-way encryption - but it does mean you will never be able to get back the original password from the hashed value. If you really need the password, you'll have to use encryption/decryption instead of hashing.

这很有用,因为您不需要任何类型的“主密码”或双向加密所需的其他秘密 - 但它确实意味着您永远无法从散列值中取回原始密码。如果您确实需要密码,则必须使用加密/解密而不是散列。

2  

You can't, that's what hashes are for. Because of that, many sites have an option to reset the password (i.e. putting into the db the hash of the new password you provided). You usually don't find the option to retrieve the current password (i.e. having it sent to you by mail).

你不能,这就是哈希所代表的。因此,许多站点都可以选择重置密码(即将您提供的新密码的哈希值放入db中)。您通常找不到检索当前密码的选项(即通过邮件将其发送给您)。

If a website does offer this functionality, it means that they are not storing password hashes, but either plaintext or encrypted passwords. Since storing a hash is the best practice, you should steer clear from sited that offer password retrieval.

如果网站确实提供此功能,则意味着它们不存储密码哈希值,而是存储明文密码或加密密码。由于存储哈希是最佳实践,因此您应该从提供密码检索的位置明确指出。

And you should steer clear from developping such a site yourself ;-)

并且你应该自己开发这样一个网站明确指出;-)

1  

If you're not using a salt then you could break the passwords using a dictionary attack.

如果你没有使用盐,那么你可以使用字典攻击来破解密码。

EDIT: I realise his original question is how to retrieve a password he stored, but it amuses me to provide a solution to the more generic question implied by the question title.

编辑:我意识到他最初的问题是如何检索他存储的密码,但是我很乐意为问题标题隐含的更通用的问题提供解决方案。

0  

Not meaning to be rude here, but did you really understand why you were hashing the passwords in the first place?

这里并不意味着粗鲁,但你真的明白为什么你在第一时间扫描密码?

0  

Theoretically you can't as the other comments have mentioned.

从理论上讲,你不能像其他评论所提到的那样。

What I think Rick was trying to say if that if an attacker knew you were using the SHA1 algorithm for hashing and the salt you were using, they could make a mapping of hashes to passwords to attempt to retrieve passwords.

我认为Rick试图说,如果攻击者知道你使用SHA1算法进行散列和你正在使用的盐,他们可以将哈希映射到密码以尝试检索密码。

But to answer your question: no, you can't do this easily.

但要回答你的问题:不,你不能轻易做到这一点。