How do I retrieve password?

[weitzhandler]

Hi,

I'm in a scenario where I need to display the password to the user. How do I achieve that? I found no matching option on the UserManager.

[brockallen]

You don't. If you could, then it'd not be very secure, would it?

[MaximRouiller]

Please refer to the Password Storage Cheat Sheet.

Here's the quoted part you are interested in @weitzhandler :

Leverage an adaptive one-way function

Adaptive one-way functions compute a one-way (irreversible) transform

The rest is also very interesting to read if you are into this. I know @brockallen is :stuck_out_tongue:

[MaximRouiller]

Basic principle is... assume somebody is going to download your whole database and have all the time in the world to hack those passwords.

If you are using clear text... you are basically insane. If you are using encryption with a single key, they only need this to get everything (bad!). If you use hashing, they have to try every password one by one to get them (better). If you use hashing with salting per accounts, then they can't match identical in your database (excellent!). If you use hashing with a compute factor, then they will have an incredibly hard time finding individual passwords even if they use GPU farms to hack them (best so far!).

Your point shouldn't be in sending the user his password. It should be in providing him a way to reset is password with a link sent to a confirmed email address. No need to send passwords.

But basically... use something somebody else already did.

Don't roll your own

[weitzhandler]

In my scenario, the server doesn't hold very secure information and the end users are senior people most of them without computers or internet access, and they're accessing the system via phone authentication (the password consists of digits only). One of the requirements of my customer is to provide a back-office that gives complete control over the users and their passwords, so the secretary that manages the user base should be able to reveal users' passwords on demand. Isn't there a possible way to reverse the password hashing and display it to authorized roles?

[brockallen]

Why do you need to reveal the password? Is this so a back-office user can login as an end-user?

[weitzhandler]

No, it's so that when the end user calls up the back office asking "hello what's my password" she can tell the end user the password after verifying other identity details. This is my customer's demand. The end user data is all visible to the back office anyway.

[brockallen]

Well, that's a tough call how to really design it for that requirement and also have any sort of meaningful security.

To answer your original question, why not replace the password hasher with your own that does a Nop?

[MaximRouiller]

Or just have the lady up front reset the password to anything she wants. Unsecure as hell... but hey. If there's nothing to protect.

[brockallen]

Yes, especially if they're just 4-digit pins -- that's easily brute forceable. A pin on the web is just keeping honest people honest.

[weitzhandler]

I didn't actually think it's going to be a real issue, but it's my customer's demand to let the backoffice RETRIEVE the users password without having to reset it.

Isn't there a way to un-hash the password?

[brockallen]

Isn't there a way to un-hash the password?

No, and that's by design. If you want it reversible, then you want to encrypt it (but then you have another problem, which is key management).

[jbomhold3]

This is a BAD BAD BAD idea but @weitzhandler You could.... simply add a field to the database to store a copy of the password in however you want it to be. When its created/updated without changes to the identity model at all... Or better yet explain to the customer that... While his/her company's data in this system does not need to be secured some reason. People often use the same password for other things and his/her practice is compromising them as well.

[blowdart]

You can't. You won't ever be able to. We will not support this at all.

[weitzhandler]

@blowdart Thanks for the update. I've notified my customer and we agreed there will be a single-click way for the back office to rest password for user.