No, it is not possible to know a user's password directly from the database in Ory. Ory follows security best practices by storing passwords in a hashed format, not in plain text. Here's why: 1. Password hashing: When a user sets or changes their password, Ory hashes the password before storing it in the database. This means the original password is transformed into an irreversible string of characters. 2. Secure storage: As mentioned in the [Import identities documentation](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#clear-text-password), when importing user accounts, even if you provide a clear text password, Ory will hash it according to the configured password hashing algorithm before storing it in the database. 3. Password verification: When a user attempts to log in, Ory compares the hash of the entered password with the stored hash. If they match, the login is successful. This process allows for password verification without ever storing or exposing the actual password. 4. Migration support: Ory supports importing hashed passwords from various formats and can migrate them to its configured hashing algorithm. This further emphasizes that passwords are always stored in a hashed format, not in plain text. By design, this approach ensures that even if someone gains access to the database, they cannot retrieve the original passwords. This is a crucial security measure to protect user credentials.

@chilly-king-10285 if i know the hash key can i decode the password?

No, even if you know the hash key, you cannot decode or reverse-engineer the password from its hash. This is a fundamental security principle that Ory and other secure systems adhere to. Here's why: 1. One-way function: Password hashing algorithms are designed to be one-way functions. This means that while it's easy to compute the hash from a password, it's computationally infeasible to derive the original password from the hash. 2. Salting: Ory uses salting in its password hashing process. As mentioned in the [Import identities documentation](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#salted-format-hashes-with-salt-1), salts are added to passwords before hashing. This makes it even more difficult to crack the hash, even if you know the hashing algorithm and the salt. 3. Multiple hashing algorithms: Ory supports various hashing algorithms like SHA1, SHA256, SHA512, and others. Each of these is designed to be cryptographically secure and resistant to reverse-engineering. 4. Computational difficulty: Modern hashing algorithms like Argon2, which Ory uses, are designed to be computationally expensive. As noted in the [Performance debugging documentation](https://www.ory.sh/docs/kratos/debug/performance-out-of-memory-password-hashing-argon2), these algorithms can be tuned to increase security at the cost of more computational resources. 5. Password verification: Instead of decoding, systems like Ory verify passwords by hashing the input and comparing it to the stored hash. If they match, the password is correct. It's important to note that the inability to decode password hashes is a security feature, not a limitation. This design ensures that even if an attacker gains access to the hashed passwords, they cannot easily determine the original passwords.