0

I have a software which stores passwords using an unknown hashing method. for example if the 123456789 set as the password, it would be stored in the database by two fields which are 'salt' (seems that the salt is generated randomly) and 'hashed'. And I need to know how the software reaches to that hashed string.

as an example for the origial string: 123456789

the salt is: ifWIg1IB

hashed is: QkKtpxSqd+kIH2EuMkNdWV44B2g=

I need to know it because of making an integrated login system via this hashed password. I think it is very important to avoid make lots of username and password for each person in an office.

with the best respects

Improve this question
10
  • Isn't the whole point of password security to prevent you from reverse-engineering it? Commented Apr 12, 2017 at 15:40
  • You take the bytes of the original string, then you combine them with the bytes of the salt in some way (depends on the algorithm). Then you apply a hashing function one or multiple times on the result. Commented Apr 12, 2017 at 15:41
  • @buffjape: I don't think the OP wants to know the original password (since that is for popular hashing algorithms (close to) impossible), but wants to know the algorithm. But indeed, although obfuscation is not enough secure, it is one of the additional measures one can take. Commented Apr 12, 2017 at 15:41
  • Why do you want to know? Even if you knew the hash method, unless it's a very old and broken one you'll never backwards engineer the password. Don't waste your time. Commented Apr 12, 2017 at 15:43
  • 1
    Please update your question with exactly what you have access to in the original software as well as what you need to do. Commented Apr 12, 2017 at 16:12

1 Answer 1

Reset to default
2

Your 'hashed' output is a base-64 encoded string. Decoding the string results in a 20-byte digest. SHA-1 produces 20-byte hashes so it looks like the generation process is:

base64(sha1(combine(salt, password)))

there are two obvious approaches to combining the salt and password plaintext - append or prepend the salt to the password. If you prepend the salt you end up with the following algorithm to generate the encoded digest:

public static string GenPasswordString(string password, string salt)
{
    byte[] bytes = System.Text.Encoding.UTF8.GetBytes(salt + password);
    using (var alg = new System.Security.Cryptography.SHA1Managed())
    {
        byte[] hashBytes = alg.ComputeHash(bytes);
        return Convert.ToBase64String(hashBytes);
    }
}

and

GenPasswordString("123456789", "ifWIg1IB") == "QkKtpxSqd+kIH2EuMkNdWV44B2g="
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.