No, at least it was done just so you can not reverse. However, HMAC is not meant for password, so the only way we can recover the value may be a little faster.
HMAC is a Keyed Hash, it can be used for Message Authentication (MAC) and can also be used for Key Detection (KDF). Your use is neither, since you are using a password, not a key, for this purpose there is PBKDF2, which can use HMAC internally.
The only way to revert this value is just an exhaustive search, try all possible attempts, this can be done using Hashcat . But this is not so fast, especially if there are many passwords, using 8x GTX 1080 Ti this will make 4.300.000 attempts per second on average.
But if your intention is to "register in the encryption I use", you can simply register the hash and signal that user is using an old password.
For example, if you use hash_hmac
and now you want to change to argon2id
, you currently have something like:
Usuario | Senha | Salt
Inkeliz 0x00..00 0xFF...FF
Then just hash the hash:
Senha = argon2i(senha = 0x00..00, salt = 0xAF...AF)
So, assuming that Senha
returned 0xAA...AA
just use it and create a sign:
Usuario | Senha | Salt | SaltAntigo
Inkeliz 0xAA..AA 0xAF...AF 0xFF...FF
The SaltAntigo
could be boolean (true / false), for example EstaUsandoSenhaAntiga?
. But, we can also use it to save the old salt, if it is null it will indicate that it does not use the old one. If you intend to keep the same salt then you could use a boolean yourself. ;)
So if another user recently joined:
Usuario | Senha | Salt | SaltAntigo
Inkeliz 0xAA..AA 0xAF...AF 0xFF...FF
Novo 0xAB..AB 0xBF...BF null
In this way, for example:
$senha = $_POST['senha'];
if $salt_antigo !== null {
$senha = hmac($senha, $salt_antigo)
}
$senha = argon2id($senha, $salt)
//...
// Se tudo estiver certo e temos a senha dele,
// podemos atualizar para usar diretamente o novo algorítimo:
$nova_senha = argon2id($_POST['senha'], $novo_salt)
query("UPDATE contas SET Senha = $nova_senha, Salt = $novo_salt, SaltAntigo = null")
In this way everyone uses the new algorithm, those that use the old will upgrade to the new as they enter the site. ;)