Decryption method for an encryption method

Question

I found an simple encryption method to encrypt a password. (I think so). I would like to go with that method for my application. But im struggling to develop an decryption method to get the actual string which has been encrypted by that encryption method. Could anyone pls provide me the decryption method for this encryption method? Thanks in advance!

public static string Encode(string value)
    {
        var hash = System.Security.Cryptography.SHA1.Create();
        var encoder = new System.Text.ASCIIEncoding();
        var combined = encoder.GetBytes(value ?? "");
        return BitConverter.ToString(hash.ComputeHash(combined)).ToLower().Replace("-", "");
    }

Possible duplicate of [Is it possible to decrypt SHA1](http://stackoverflow.com/questions/18887823/is-it-possible-to-decrypt-sha1) — Artjom B., Oct 13 '15 at 08:21

score 2 · Answer 1 · edited Jun 20 '20 at 09:12

If I'm not mistaken, that method is hashing your password using the SHA1 standard.

Hashing is a special type of encryption that is one-way. Meaning that you can't decrypt it.

I assume that you are wanting to decrypt it in order to check someone's password against a login form. The way to handle that is to store the encrypted password; then when someone fills out your form, encrypt their input using the same encryption method and see if the two encrypted strings match.

On a side note, if you are hashing, please don't forget to salt your hashes. This would then require you to store the hash and the salt in your database; when checking passwords, simply retrieve the salt associated with the entered username, add it to the form input's password, hash it, and check the new hash against the stored salted one. If they match, bingo! If not, it's the wrong password.

More...

Looking at other answers to similar questions, let me add this for completeness.

The short answer to this question is no. These hashing algorithms are designed to be "uncrackable". That does not mean, however, that they cannot be broken. The way to break SHA1 or any other modulus-based hashing algorithm is to "guess and check." Basically:

Enter a password
If it's correct, great! You're in!
If it's incorrect, go to 1.

Much like any other password system you've encountered, the way to break it is with brute force. You can imagine that there are many programs out there designed to do just this. The problem with hashing algorithms is that they yield the same result for the same input; since you are using SHA1, which is a standard library used by millions of other applications, I can guarantee you that plain vanilla SHA1 can and will be broken if you use it.

The solution to this problem is to use salting, as mentioned above. This changes the input for a particular password for every single user; meaning that if three users all have the same password, say "password" for instance, each of the users' passwords will all be stored in the database as a different result.

If they were passed through sha1 without salt, they'd all be the same because you are feeding the same input in:

password ---SHA1---> sha1$asdfasdfasdfasdf
password ---SHA1---> sha1$asdfasdfasdfasdf
password ---SHA1---> sha1$asdfasdfasdfasdf

So if someone got access to your database, they could look for duplicates and check common passwords against them until they realized that sha1$asdfasdfasdfasdf actually means "password."

But by adding salt to the equation, every user is essentially entering a different password

salt1password ---SHA1---> sha1$aogiahowehgpa
salt2password ---SHA1---> sha1$oh9h42h980agh
salt3password ---SHA1---> sha1$322tyyha0gh9w

This makes your system nearly impossible to crack. If someone got access to your database, there would be no duplicates to check.

So always salt your hashes!

@David, Thanks for the valuable information! Yes when some is logging that is what im doing. But the problem comes when facilitating edit for the password. I have to decrypt the encrypted value and show the actual password to user. Could you pls provide me a link or a resource for that kind of scenario — Isuru, Oct 13 '15 at 05:29
@Isuru This is simply not possible unless you store the unhashed password. This in itself is why big websites never show you your password. It is insecure. Try changing your password on any website like Google, Stack Exchange, Facebook, etc. They will let you change your password, but they will never reveal what it is to you. They may even store old hashed passwords to make sure you don't reuse an old password. — Liftoff, Oct 13 '15 at 05:37
Hashing is not a special type of encryption, because encryption is by definition two-way. — Artjom B., Oct 13 '15 at 08:23
@ArtjomB. Now you're just picking words apart. Tomayto tomahto. It really worth downvoting my answer just for that? — Liftoff, Oct 13 '15 at 08:34
@ArtjomB. And actually, if you want to go all dictionary on me, then actually, according to dictionary.com, to encrypt means to encode, which means to translate a message into a code. That is exactly what hashing does. It turns a string of text into a fixed-length code representation. — Liftoff, Oct 13 '15 at 08:38
@David, sorry for the late reply.. I am new to encrypting and decrypting thing and because of your answer got a good knowledge regarding that. I'll research more about this to enhance my knowledge further. If i have any question i'll ask from you. Thank you very much :) — Isuru, Oct 13 '15 at 08:42
An encoding is also a two-way function like encryption with the difference that it doesn't use a key. So hashing is not an encoding. Other than this, your answer is ok. I downvoted it, because you found a duplicate question and still provided an answer to it instead of voting to close. I also downvoted the question, because the title is misleading and almost every future reader that opens the question hoping to understand *encryption* will just be presented with *hashing*. I see no use in this question. — Artjom B., Oct 13 '15 at 10:34

Decryption method for an encryption method

1 Answers1

More...

So always salt your hashes!