[Tutor] Decrypting a Password
Steven D'Aprano
steve at pearwood.info
Sun Oct 9 05:42:49 EDT 2016
On Sun, Oct 09, 2016 at 09:29:07AM +0100, Alan Gauld via Tutor wrote:
> On 09/10/16 01:50, Linda Gray wrote:
>
> > I am working on a homework assignment that has me creating a password saver
> > using a ceasar cipher code. I was provided the key to the cipher and two
> > passwords. I need to look up and decrypt the passwords
>
> Are you sure? That's very bad practice and never needed
> in the real world.
You've never used a password vault then?
The idea of a password vault is that you have one master password which
controls access to a record of sites and their passwords. You need to
record the *actual* password, since you have to enter the password
itself (not a hash) into the site's password field. Rather than try to
remember 50 passwords, or re-use passwords (a dangerous practice) you
remember one good, memorable password, protect your password vault like
it is the keys to your house, and then the password manager can choose
very large, unique, impossible to memorise, random passwords for each
site.
> The normal way to handle passwords is to encrypt them
> and store the encryopted cersion.
For authentication, it *should* be an irreversible one-way hash.
(Unfortunately, far too many places don't do that. They record the
passwords in plain text, or using a hash without salting, so that the
password is recoverable.)
The exception being password managers or vaults, as I said, as they need
access to the actual password.
> Then when the user
> enters a password you encrypt that and compare it to
> the stored encryption. If the two encrypted versions
> are the same then the original passwords were the same.
That's for authentication.
> So you should never need to see the plaintext
> version of a password, that would be a bad
> security hole.
If you don't know the plaintext version of the password, how do you type
it into the password field? :-)
--
Steve
More information about the Tutor
mailing list