arrow_upward
How to decode a password when you have the hash and salt?
#1
Any websites or tutorial?



[+] 1 user Likes megagod's post
#2
you cannot. hashes are one way, compared to encryption/decryption which is 2 way. So if you have a hash (and salt), you only have a few options,and they're almost always the same fundamentally: what do I input to get the hash as an output?

a hash gets created when you type a password into a system that stores its password using hashing. 
later when you authenticate, your input gets hashed again. if the hashes match, you're in. by this mechanism your password is never directly stored anywhere and so can't be revealed as per your question.

someone else may argue but I believe having a specific hash gives you little to no advantage over an adversary who knows nothing and that's the purpose of hashing. 

download

RE: How to decode a password when you have the hash and salt?.

Registered Members Only

You need to be a registered member to see more on RE: How to decode a password when you have the hash and salt?.
Login or Sign up to get access to a huge variety of top quality leaks.
 if you want to try using rainbow tables and an offline attack. 

unsalted hashes are easier to recover, so the presence of a salt is bad in general for these purposes but being aware of challenges is always a good thing. when salts are present you'd need additional tables to compensate for this. Each table would have a storage commitment so large or multiple salts (each applied on a per-hash basis) will slow you down and make this impossible or at least infeasible from a storage perspective and take ages.

a 12 bit salt found on an old webserver would require 4096 (or 2^12) separate tables at maximum, brute forcing would take longer but would require far less resources and can be done remotely. there's always a time/storage tradeoff for shit like this.

SHA-256 would require 2^256 tables which I am told by wolfram alpha is 115 quattuorvigintillion or 1.2% of the atoms in the observable universe.

so longer words / MOAR BITS can make this process impossible but any of these estimates are against an unknown password. your mileage WILL vary.



#3
2buckchuck Wrote:you cannot. hashes are one way, compared to encryption/decryption which is 2 way. So if you have a hash (and salt), you only have a few options,and they're almost always the same fundamentally: what do I input to get the hash as an output?

a hash gets created when you type a password into a system that stores its password using hashing. 
later when you authenticate, your input gets hashed again. if the hashes match, you're in. by this mechanism your password is never directly stored anywhere and so can't be revealed as per your question.

someone else may argue but I believe having a specific hash gives you little to no advantage over an adversary who knows nothing and that's the purpose of hashing. 

download

RE: How to decode a password when you have the hash and salt?.

Registered Members Only

You need to be a registered member to see more on RE: How to decode a password when you have the hash and salt?.
Login or Sign up to get access to a huge variety of top quality leaks.
 if you want to try using rainbow tables and an offline attack. 

unsalted hashes are easier to recover, so the presence of a salt is bad in general for these purposes but being aware of challenges is always a good thing. when salts are present you'd need additional tables to compensate for this. Each table would have a storage commitment so large or multiple salts (each applied on a per-hash basis) will slow you down and make this impossible or at least infeasible from a storage perspective and take ages.

a 12 bit salt found on an old webserver would require 4096 (or 2^12) separate tables at maximum, brute forcing would take longer but would require far less resources and can be done remotely. there's always a time/storage tradeoff for shit like this.

SHA-256 would require 2^256 tables which I am told by wolfram alpha is 115 quattuorvigintillion or 1.2% of the atoms in the observable universe.

so longer words / MOAR BITS can make this process impossible but any of these estimates are against an unknown password. your mileage WILL vary.
THANKS for the information, I wasn't really sure, but your explanation was pretty good.



#4
Brute force it



#5
Generally brute forcing is the only way since hashes are one way.



#6
If they used a salt , then you cant even use pre-generated rainbow tables. If you have to ask this questions consider yourself out of luck.



#7
Send a polite e-mail to the NSA