Problem decrypting hash in Base64

Asked

Viewed 654 times

3

I was reading about an apache rule for validating permissions to access files/directories, and saw that the default file that reads the user and password was: 

usuário:senha (sendo a senha em base64).

I tried to decode the password through the linux terminal, only an error message was returned:

~$ echo "zuQCCnEXtTamg" | base64 -d

~$ Invalid Input

And In Windows with ceramic:

Retorno inválido de dados

I searched and saw that this error is generated by the type of char-encoding that the file was encoded (UTF-8, UTF-16, etc)

The problem is that I don’t know how it was coded and where (as windows uses utf8 and linux not by default). Is there any way to find out how it was coded and its encoding?

Hash: zuQCCnEXtTamg

hash character-encoding base64

  • echo "zuQCCnEXtTamg" | base64 -d , isso no Linux. No windows usei o cerUtil --decode ... O resultado no linux foi : caracteres bugados e no Windows: Retorno de dados inválidos

  • @user3386417 put this information in the question as well!!!

2 answers

2

That’s not how the .htpasswd works... What is stored is not the coded password on base 64, but rather a password hash - and to my knowledge, this is not necessarily encoded in base 64 (it can specify the algorithm, parameters, salt, each in its format and all separated by $).

If you’re not familiar with hashes, see that related question. It is impossible (except for trial and error) to recover the original password from the hash, so trying to "decode" the text in base 64 is not giving result (regardless of the encoding output). To authenticate a user, what Apache does is re-hash the sent password and compare its hash to the hash saved in the file.

Getting the original password from the hash is at best laborious, and at worst impossible [in practice]. Note further that the hash used as default by Apache (MD5 or crypt) is considered "weak" (see linked question), so that newer systems (Apache 2.4+) should migrate to bcrypt. If this algorithm is used, it is in fact impossible to attempt to recover the password from the hash.

Note: See that question on security.SE (in English) for reasons why it is important to use a "strong" hash in this situation, although at first glance it does not seem.

0

Macos decoded "q? 6?" but I used it --decode:

echo zuQCCnEXtTamg | base64 --decode
??
q?6?Paulo:~ paulo$

On this website http://www.base64decode.org the result was "Q6"

Browser other questions tagged hash character-encoding base64

You are not signed in. Login or sign up in order to post.