Hello,

I have my users passwords stored to my DB hashs created using
SHA1CryptoServiceProvider, here is the function:

Public Shared Function EncryptPassword(ByVal password As String) As Byte()
Dim encoding As New UnicodeEncoding()
Dim hashBytes As Byte() = encoding.GetBytes(password)
' Compute the SHA-1 hash
Dim sha1 As New SHA1CryptoServiceProvider()
Dim cryptPassword = sha1.ComputeHash(hashBytes)
Return cryptPassword
End Function

Question is, how can I decrypt the password so my 'forgot password' logic
can mail it to them? I can't seem to find a method anywhere!?!

Many thanks in advance.

Adam

The point to a hash is that you can't decrypt it.

"Adam Carpenter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I have my users passwords stored to my DB hashs created using
> SHA1CryptoServiceProvider, here is the function:
>
> Public Shared Function EncryptPassword(ByVal password As String) As Byte()
> Dim encoding As New UnicodeEncoding()
> Dim hashBytes As Byte() = encoding.GetBytes(password)
> ' Compute the SHA-1 hash
> Dim sha1 As New SHA1CryptoServiceProvider()
> Dim cryptPassword = sha1.ComputeHash(hashBytes)
> Return cryptPassword
> End Function
>
> Question is, how can I decrypt the password so my 'forgot password' logic
> can mail it to them? I can't seem to find a method anywhere!?!
>
> Many thanks in advance.
>
> Adam
>
>

"Adam Carpenter" <(E-Mail Removed)> scripsit:
> I have my users passwords stored to my DB hashs created using
> SHA1CryptoServiceProvider, here is the function:
>
> Public Shared Function EncryptPassword(ByVal password As String) As Byte()
> Dim encoding As New UnicodeEncoding()
> Dim hashBytes As Byte() = encoding.GetBytes(password)
> ' Compute the SHA-1 hash
> Dim sha1 As New SHA1CryptoServiceProvider()
> Dim cryptPassword = sha1.ComputeHash(hashBytes)
> Return cryptPassword
> End Function
>
> Question is, how can I decrypt the password so my 'forgot password' logic
> can mail it to them? I can't seem to find a method anywhere!?!

You cannot get the original data from the hash code.

--
Herfried K. Wagner
MVP · VB Classic, VB.NET
<http://www.mvps.org/dotnet>

Hi Adam, a hash cannot be decrypted, that is the point of them.

The only way to determine what the hash was originally is to compare it with
the hashed version of the original data, hashes are unique.

You could brute force your hash, but that takes a lot of processing time,
about a few billion years.

--
HTH,
-- Tom Spink, Über Geek

Please respond to the newsgroup,
so all can benefit

" System.Reflection Master "

==== Converting to 2002 ====
Remove inline declarations


"Adam Carpenter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
: Hello,
:
: I have my users passwords stored to my DB hashs created using
: SHA1CryptoServiceProvider, here is the function:
:
: Public Shared Function EncryptPassword(ByVal password As String) As Byte()
: Dim encoding As New UnicodeEncoding()
: Dim hashBytes As Byte() = encoding.GetBytes(password)
: ' Compute the SHA-1 hash
: Dim sha1 As New SHA1CryptoServiceProvider()
: Dim cryptPassword = sha1.ComputeHash(hashBytes)
: Return cryptPassword
: End Function
:
: Question is, how can I decrypt the password so my 'forgot password' logic
: can mail it to them? I can't seem to find a method anywhere!?!
:
: Many thanks in advance.
:
: Adam
:
:

"Tom Spink" <(E-Mail Removed)> scripsit:
> The only way to determine what the hash was originally is to compare it with
> the hashed version of the original data, hashes are unique.
>
> You could brute force your hash, but that takes a lot of processing time,
> about a few billion years.

<http://www.distributed.net/>

--
Herfried K. Wagner
MVP · VB Classic, VB.NET
<http://www.mvps.org/dotnet>

Hi Herfried, (you're for it now <grins>)

Hardly realistic for 'Forgotten Password' logic ;-)

If Adam's still watching the thread, then perhaps he should provide 'Reset
Password' logic instead.

--
HTH,
-- Tom Spink, Über Geek

Please respond to the newsgroup,
so all can benefit

" System.Reflection Master "

==== Converting to 2002 ====
Remove inline declarations


"Herfried K. Wagner [MVP]" <hirf-spam-me-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
: "Tom Spink" <(E-Mail Removed)> scripsit:
: > The only way to determine what the hash was originally is to compare it
with
: > the hashed version of the original data, hashes are unique.
: >
: > You could brute force your hash, but that takes a lot of processing
time,
: > about a few billion years.
:
: <http://www.distributed.net/>
:
: --
: Herfried K. Wagner
: MVP · VB Classic, VB.NET
: <http://www.mvps.org/dotnet>

Have your "forgot password" logic create a NEW password for them and mail
them that one.

Otherwise you are trying to solve something that can't be easily solved.

Jerry

"Adam Carpenter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I have my users passwords stored to my DB hashs created using
> SHA1CryptoServiceProvider, here is the function:
>
> Public Shared Function EncryptPassword(ByVal password As String) As Byte()
> Dim encoding As New UnicodeEncoding()
> Dim hashBytes As Byte() = encoding.GetBytes(password)
> ' Compute the SHA-1 hash
> Dim sha1 As New SHA1CryptoServiceProvider()
> Dim cryptPassword = sha1.ComputeHash(hashBytes)
> Return cryptPassword
> End Function
>
> Question is, how can I decrypt the password so my 'forgot password' logic
> can mail it to them? I can't seem to find a method anywhere!?!
>
> Many thanks in advance.
>
> Adam
>
>

Creating a new password is the way to go. This also adds some security
because lets say that an unauthorized user can obtain via the "forgot
password". Now, the unauthorized user can use the system, but the REAL user
can too. He doesn't know anything has happened.

Making the password be reset makes any legit users to know of it (since they
no longer can login), and any breach via this method will be discovered
faster.

-mike
MVP

"Adam Carpenter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I have my users passwords stored to my DB hashs created using
> SHA1CryptoServiceProvider, here is the function:
>
> Public Shared Function EncryptPassword(ByVal password As String) As Byte()
> Dim encoding As New UnicodeEncoding()
> Dim hashBytes As Byte() = encoding.GetBytes(password)
> ' Compute the SHA-1 hash
> Dim sha1 As New SHA1CryptoServiceProvider()
> Dim cryptPassword = sha1.ComputeHash(hashBytes)
> Return cryptPassword
> End Function
>
> Question is, how can I decrypt the password so my 'forgot password' logic
> can mail it to them? I can't seem to find a method anywhere!?!
>
> Many thanks in advance.
>
> Adam
>
>

Hello,

Thank you very much for your comments. Given what has been said I am going
to persue a reset password route in combination with some additional
security questions. I totally agree that the less information I can expose
the better especially given the point that some raised that users would tend
to use the same password accross multiple sites.

Thanks again,

Adam

"Adam Carpenter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I have my users passwords stored to my DB hashs created using
> SHA1CryptoServiceProvider, here is the function:
>
> Public Shared Function EncryptPassword(ByVal password As String) As Byte()
> Dim encoding As New UnicodeEncoding()
> Dim hashBytes As Byte() = encoding.GetBytes(password)
> ' Compute the SHA-1 hash
> Dim sha1 As New SHA1CryptoServiceProvider()
> Dim cryptPassword = sha1.ComputeHash(hashBytes)
> Return cryptPassword
> End Function
>
> Question is, how can I decrypt the password so my 'forgot password' logic
> can mail it to them? I can't seem to find a method anywhere!?!
>
> Many thanks in advance.
>
> Adam
>
>