Reversing django.contrib.auth.models.User password, sha1 to readable string

6
votes
from django.contrib.auth.models import User
u = User.objects.get(username='test')
user.password
u'sha1$c6755$66fc32b05c2be8acc9f75eac3d87d3a88f513802

Is reversing this password encryption possible?

4
djangoencryption
It's actually not encrypted. It's hashed, making it theoretically impossible to reverse with absolute certainty.recursive

4 Answers

19
votes

Yes, it's possible. All you need is a few million years, and a computer the size of our solar system.

18
votes

Sha-1 is a one-way hash. It cannot be reversed except for using a brute force attack which will take millions of years.

There are some online databases that let you reverse the hash of common words/conbinations of words. However, django adds "salt" to the password before it computes the hash, so you cannot reverse django passwords.

That's why a hash is used. Nobody can find out your password, not even sys admins :-)

8
votes

No, that's the point.

If your user forgot their password, you'll have to reset it.

1
votes

Django is using sha1 which is a one way hash for password hashing and "salt" the password before encrypting them. So it will take much longer time (maybe our lifetime) to decrypt them. The passwords are hashed so that no one will be able to decrypt it even if they have the hashed values.