Click here to Skip to main content
15,868,016 members
Please Sign up or sign in to vote.
1.00/5 (3 votes)
See more:
I am generating a random string through {generaterandomstring} and then
{encrypt} it to store in database.But if somebody will forgot password then i want send his password in decrypted form,by decrypting his/her stored encrypted password,not by other way bcoz i have already done by reset and by sending generated string.

Problem-Unable to decrypt password!

Following are my two functions to generate and encrypt generated string.

Way i m using them->
VB
NewPassword = ES.Common.RenfroCommonModule.GenerateRandomString(8, True)
NewUserPassword = ES.EkatmERP.UserManagement.FrmUM0012_ChangeUserPwd.GetEncryptedPassword(NewPassword)


Functions->
VB
Public Function GenerateRandomString(ByRef len As Integer, ByRef upper As Boolean) As String
           Dim rand As New Random()
           Dim allowableChars() As Char = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLOMNOPQRSTUVWXYZ0123456789".ToCharArray()
           Dim final As String = String.Empty
           For i As Integer = 0 To len - 1
               final += allowableChars(rand.Next(allowableChars.Length - 1))
           Next
           Return IIf(upper, final.ToUpper(), final)
       End Function
then
VB
Public Shared Function GetEncryptedPassword(ByVal Input As String) As String
  Private Const _EncryAlgo As String = "MD5"
 Try
    Return System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(Input, _EncryAlgo)
               System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile("", "") 
           Catch ex As Exception
               Throw New Exception(ex.Message)
           End Try
       End Function


Plz help me decrypt this encrypted password.
Posted
Updated 11-Dec-12 18:36pm
v2

You never ever should decrypt a password. And you never need it: it is absolutely not needed for authentication.
Also, MD5 is cryptographic hash function; it does not allow "decryption" at all; more exactly, makes it infeasible. This is the whole point of such algorithms.

Surprised? Keep reading.

Think about it: does anyone (except the user who owns the password) needs to know the password, ever? All authentication needs is to make sure, that the string entered by a authenticated user is the same that this user entered in the process of password creation. From the first glance, it looks like knowing of the password, but in fact this is not true. What to do this exercise in logic?

One of the ways of solving this problem which is usually used is calculation of a cryptographic hash function in both cases and storing the hash. If you want to say that this stored value is just the encrypted password, think again. The big difference is: the cryptographic hash cannot be decrypted at all, this is a one-way function. So, it's infeasible to calculate a password from hash (and, of course, it has nothing to do with system permissions: this is equally infeasible for anyone). And this is not needed: you just store hash and compare hash with hash.

Please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].

It is important not to use MD5 or SHA1 for security purposes: these algorithms are considered broken. Use one of the SHA-2 family:
http://en.wikipedia.org/wiki/Md5[^],
http://en.wikipedia.org/wiki/Sha1[^],
http://en.wikipedia.org/wiki/Sha2[^].

Please see my past answers on this topic:
Decryption of Encrypted Password[^],
i already encrypt my password but when i log in it gives me an error. how can decrypte it[^],
TCP Connection with username and password[^].

—SA
 
Share this answer
 
Comments
Sushil Mate 12-Dec-12 1:04am    
+5
Sergey Alexandrovich Kryukov 12-Dec-12 1:28am    
Thank you, Sushil.
--SA
StackQ 12-Dec-12 1:07am    
k, I agree with u.But we can see in many sites suppose we forgot our password then they ask our security question and if correct then,they send our password to our registered emailid or anywhere(Here they not reset password)(It means either they store our password as we input or if store in any other form (encrypted) then perhaps they will decrypt it and then send us).

Or You can suggest me some other ways->how can i send user password without resetting if user request through forgotPassword link.
Sergey Alexandrovich Kryukov 12-Dec-12 1:27am    
If someone forgot a password, it is never ever "decrypted". Not this is just impossible; it even makes no sense, because if wasn't ever encrypted. The password is only reset, that's it.
--SA
StackQ 12-Dec-12 1:34am    
ok,thnx ..
Hi,

MD5() generates a hash, not an encrypted string. Thus you can't decrypt it in principle. But studies shown that MD5 is hackable, but it seems too complicated to study.
From "MD5 considered harmful today"

Refer the below link.

http://www.win.tue.nl/hashclash/rogue-ca/:

There are many online website available that provide the decrypted string.

Below are few online links.

http://md5encryption.com/[^]
http://md5.darkbyte.ru/[^]

http://www.stottmeister.com/blog/2009/04/14/how-to-crack-md5-passwords/[^]
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900