[Tutor] Decrypting a Password

[Steven D'Aprano]

On Sun, Oct 09, 2016 at 09:29:07AM +0100, Alan Gauld via Tutor wrote:
> On 09/10/16 01:50, Linda Gray wrote:
> 
> > I am working on a homework assignment that has me creating a password saver
> > using a ceasar cipher code.  I was provided the key to the cipher and two
> > passwords.  I need to look up and decrypt the passwords 
> 
> Are you sure? That's very bad practice and never needed
> in the real world.

You've never used a password vault then?

The idea of a password vault is that you have one master password which 
controls access to a record of sites and their passwords. You need to 
record the *actual* password, since you have to enter the password 
itself (not a hash) into the site's password field. Rather than try to 
remember 50 passwords, or re-use passwords (a dangerous practice) you 
remember one good, memorable password, protect your password vault like 
it is the keys to your house, and then the password manager can choose 
very large, unique, impossible to memorise, random passwords for each 
site.


> The normal way to handle passwords is to encrypt them
> and store the encryopted cersion. 

For authentication, it *should* be an irreversible one-way hash. 
(Unfortunately, far too many places don't do that. They record the 
passwords in plain text, or using a hash without salting, so that the 
password is recoverable.)

The exception being password managers or vaults, as I said, as they need 
access to the actual password.


> Then when the user
> enters a password you encrypt that and compare it to
> the stored encryption. If the two encrypted versions
> are the same then the original passwords were the same.

That's for authentication.


> So you should never need to see the plaintext
> version of a password, that would be a bad
> security hole.

If you don't know the plaintext version of the password, how do you type 
it into the password field? :-)



-- 
Steve