-1

So one of the basic rules of website authentication is never to write unencrypted passwords to the database. I typically put in functionality to hash passwords when user accounts are created, so that you can't just open up the DB and see the password in a query. But since hashing is one-way, what's the best way for website admins who need access to usernames and passwords in user accounts to retrieve passwords?

I get that if there was a simple way to recover the clear-text password, there would be no point in hashing the passwords to begin with. But say an admin needs to log into the site as a certain user, then maybe the solution is to add a "log in as" feature available only to site admins? Or, if it's not a site that world-class hackers would be interested in, maybe it's okay to use a 2-way encrypt-decrypt system for passwords?

Improve this question
3
  • 3
    Even admins should not have access to these passwords. "Log in as" works different, as you can program a login to your application without checking for the proper password after all Commented Jun 8, 2023 at 17:56
  • I've heard that from many sources, that one should just let go of the idea of ever needing to know passwords. Okay, thanks. Commented Jun 8, 2023 at 18:16
  • One of the basic rules of website authentication is never to write un-hashed passwords to the database. You don’t encrypt passwords, you hash them. Admins don't need access to user passwords, and must not have it. Ever. Period. Commented Oct 27, 2023 at 16:38

1 Answer 1

Reset to default
1

Definitively go the "Log in as" route and never try to make the passwords retrievable. It is not necessary to know the password to reach your goal and it would endanger not only your site, but other sites as well, if the user reused the password.

Password-hashing not only includes a one-way hash, it also uses salting and key-stretching to mitigate rainbow tables and brute-force attacks. The sources telling about knowing the passwords to be ok, are just plain wrong!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.