Encryption vs Hashing Passwords

0
votes

Suppose I want develop a authetication/user system, and I'd like to be able to recover original users passwords if I need, what are the disvantages to encrypt password vs hashing from the security point of view?

Of course the application will use just the public key, and the authetication will be executed just comparing the encrypted strings with the public key.

The private key can be used in two way:

  1. I keep the private key on my offline devices for special manual password recovery operation.
  2. The private key is in the application but encrypted with a password.

Considering nobody (except me) can access the private key, what are the security weakness of these implementation choices rather than hashing password?

About the second option, potentially a hacker can hack the application server and wait I insert the password to decrypt the private key, but I think in this case the hacker can already do many more bad actions than to wait the private key decryption (as wait just user send their password when login and others...)

Thanks

EDIT: What I would mainly understand, is if using encryption is as safe as using hashing (of course supposing the cracker can't get private key).

2
securityencryptionhashpassword-protection
"I'd like to be able to recover original users passwords if I need" No, you don't need that. - Ry-
Just be aware that hashing is a one-way algorithm, you can't hash the password and recover the password later from the hash - Jerry B. no.1 intern
@Ryan Do you know what type of application I'm thinking to develop? Please, assume I could have the need to recover them. - Eghes
@JerryB.no.1intern Yes, I know. It's for this I'm asking about security weakness of encrypt rather than hash :) - Eghes
@Eghes The most obvious security weakness is from user perspective. Why would a user entrust you with his own private password? - SomeWittyUsername

2 Answers

1
votes

If your question is whether proper hash algorithms have flaws, and proper encryption schemes are correct then yes - both of them are correct for the intended usage.

This means that for instance for hashes there are no collisions and no reversibility. For encryption it would mean that one cannot decrypt within reasonable time. Please note that these are just two requirements, each have much more of them.

Now, the intended usage is important. If you need to reuse passwords then you will need to store them somehow. There are several possibilities, including encryption. As you noted, the risk is to retrieve the key (someone can hack your OS, or hack your application when it uses the key, ...).

I would warmly recommend to look for other possibilities (like authentication brokerage - offloading the authentication to someone else) before jumping into an architecture to store your passwords and keys.

0
votes

If you want to recover passwords, hashing is out of option. Hash is straight up one-way algorithm. So you have 2 options about encrypting passwords.

1- I keep the private key on my offline devices for special manual password recovery operation.

You could do that, if you are certain that your offline device won't be compromised.

2- The private key is in the application but encrypted with a password.

This could backfire since in case someone gets access to your code, they can deduce that you are encrypting passwords and storing them that way. That could motivate an attacker into accessing your private key.

Given these 2 options, I'd say first one is more secure, since you only have to worry about devices physical security.