-2

Is there a way to compare passwords stored in database after being encrypted in sha2() and the password entered by users during login without encrypting the login-time-password? Actually I want to match the passwords character by character and pass for a match in either of upper case or lower case i.e. in other words is there a function or method to de-crypt the saved password before comparison?

BenMorel
  • 34,448
  • 50
  • 182
  • 322
mscoder
  • 1
  • 3
  • 2
    `sha1` hashes the password, it doesn't encrypt it. You can't reverse it. If it was reversible, that would _completely_ defeat the point of hashing it in the first place. – Christian Nov 30 '12 at 12:42
  • ok..so if i cant decrypt it and then compare the characters,then is there no way to match passwords character by character..other than not not hashing the password while storing?? :( – mscoder Nov 30 '12 at 12:46
  • Exactly. But why you'd want to do this is beyond me. Perhaps if you explain the problem you're trying to solve, we can provide an alternate solution. – Christian Nov 30 '12 at 12:50
  • actually i was trying to make the password case insenstive and so i thought this could be done this way.. – mscoder Nov 30 '12 at 12:54
  • 2
    If you want to make the password case insensitive, store the strtolower'd password's hash in the database, and compare it with the strtolower'd userinput with db hash. WHAT YOU ARE TRYING TO DO GREATLY INCREASES THE CHANCE OF A SUCCESSFUL BRUTE ATTACH THOUGH. – AKS Nov 30 '12 at 12:57
  • 1
    Yeah, that's a bad idea. Secure passwords have a mix of cased letters _on purpose_. – Christian Nov 30 '12 at 13:00

2 Answers2

2

What you want to do sounds fishy.
Anyway no you can't recover a hashed string

dynamic
  • 46,985
  • 55
  • 154
  • 231
0

You can't "decrypt" a SHA hash. Instead, compare the SHA version of the entered password with the stored passwords in the database (also hashed).

$enteredpass = $_POST['password'];
$enteredpass = sha2($enteredpass);
$realpass = sha2('password123'); //Yup, best password EVAR!! xD
if ($enteredpass == $realpass) {
     echo "THE PASSWORD IS CORRECT!! :D";
}
else {
     echo "THE PASSWORD IS INCORRECT!!";
}

You probably want to use a database, but this is just a simple example... ;)

Julia van der Kris
  • 133
  • 7