unhashing / decrypting passwords
-
To put it simply I need to unhash / decrypt the password to reveal the current password in the database.
I have found this topic http://bbpress.org/forums/topic/cant-administer-my-site#post-73724
which indicates the password is md5 encoded
However testing md5(‘mypass’) in mysql5 produces a value quite different from the ‘mypass’ used in the bbPress table.
-
just use the md5 function while entering a value and then login once
just use the md5 function while entering a value and then login once
unhashing / decrypting is not possible, at least practically
unhashing / decrypting is not possible, at least practically
Sorry, I’m confused – either it is or isn’t.
As the user logs on regularly to bbPress they enter their user name and their password.
I presume that these are compared with the values in the database to enable logon. Either the given password is md5()’d or the database value is unencrypted to make this comparison.
As I have tried md5(‘mypass’) and it does not produce the same value as in the database something fishy is going on.
Sorry, I’m confused – either it is or isn’t.
As the user logs on regularly to bbPress they enter their user name and their password.
I presume that these are compared with the values in the database to enable logon. Either the given password is md5()’d or the database value is unencrypted to make this comparison.
As I have tried md5(‘mypass’) and it does not produce the same value as in the database something fishy is going on.
Perhaps the only solution to this is to replace all the hashing code and store a retrievable passford in the field.
It is going to really upset the users having to go through registration again but it is far better getting one hit of all the frustrated users while I can blame it on the dumb software rather than being hit by the same problem time and time again as new users forget their passwords, we integrate other systems, etc.
I still don’t get why md5(mypass) doesn’t give the same as in the database and I really cannot be bothered unraveling all the code to find out what is not obvious.
Perhaps the only solution to this is to replace all the hashing code and store a retrievable passford in the field.
It is going to really upset the users having to go through registration again but it is far better getting one hit of all the frustrated users while I can blame it on the dumb software rather than being hit by the same problem time and time again as new users forget their passwords, we integrate other systems, etc.
I still don’t get why md5(mypass) doesn’t give the same as in the database and I really cannot be bothered unraveling all the code to find out what is not obvious.
The MD5 function (SHA, AES et similia) isn’t a encryption function but a “one-way” cryptographic hash function. An encryption function takes a plaintext (a discrete sequence of bytes), a password and encrypt the text creating another sequence of bytes called cipher text. The same function can be used (with some changes) to transform back the cipher text to plain text.
A cryptographic hash function instead creates a checksum that is a fixed-size string. It’s obviously a one-way process and bbPress, as well as any other software the stores password, use it to check if a password is valid.
http://en.wikipedia.org/wiki/Cryptographic_hash_function
http://en.wikipedia.org/wiki/Cryptographic_software
There are a lot of software that also store all the passwords (encrypted or not) in the database but it’s a potential security issue cause an attacker that gains temporary access to the data can retrieve all the passwords. In bbPress it’s “impossible.” I used the quotes cause MD5 is a very old hash function and it has been demostrated to be vulnerable to cryptanalysis.
The MD5 function (SHA, AES et similia) isn’t a encryption function but a “one-way” cryptographic hash function. An encryption function takes a plaintext (a discrete sequence of bytes), a password and encrypt the text creating another sequence of bytes called cipher text. The same function can be used (with some changes) to transform back the cipher text to plain text.
A cryptographic hash function instead creates a checksum that is a fixed-size string. It’s obviously a one-way process and bbPress, as well as any other software the stores password, use it to check if a password is valid.
http://en.wikipedia.org/wiki/Cryptographic_hash_function
http://en.wikipedia.org/wiki/Cryptographic_software
There are a lot of software that also store all the passwords (encrypted or not) in the database but it’s a potential security issue cause an attacker that gains temporary access to the data can retrieve all the passwords. In bbPress it’s “impossible.” I used the quotes cause MD5 is a very old hash function and it has been demostrated to be vulnerable to cryptanalysis.
The solution will be to dig into the code, add an extra field to the table, and set this field with the real password (encrypted with a workable encryption routine) the next time a forum user logs on.
After a reasonable length of time all users should have logged back on and an accessible copy of the password obtained.
As said I still don’t understand why the md5(‘mypass’) does not match the one in the table – there must be a comparison made at some stage or no one would ever get logged in.
The solution will be to dig into the code, add an extra field to the table, and set this field with the real password (encrypted with a workable encryption routine) the next time a forum user logs on.
After a reasonable length of time all users should have logged back on and an accessible copy of the password obtained.
As said I still don’t understand why the md5(‘mypass’) does not match the one in the table – there must be a comparison made at some stage or no one would ever get logged in.
As said I still don’t understand why the md5(‘mypass’) does not match the one in the table
If you open phpmyadmin, you choose MD5 and you select a new password the you can login without problems. Once you logged in bbPress generate a salt and change the password stored in the database. See file class.passwordhash.php line 119.
As said I still don’t understand why the md5(‘mypass’) does not match the one in the table
If you open phpmyadmin, you choose MD5 and you select a new password the you can login without problems. Once you logged in bbPress generate a salt and change the password stored in the database. See file class.passwordhash.php line 119.
public static bool VerifyHash(string password, string hash)
{
// Hash the input.
string hashOfInput = GetHash(password);
// Return true if they are the same
return String.Compare(hashOfInput, hash, StringComparison.OrdinalIgnoreCase) == 0;
}
This is example of inserting password in encoded form.
public static bool VerifyHash(string password, string hash)
{
// Hash the input.
string hashOfInput = GetHash(password);
// Return true if they are the same
return String.Compare(hashOfInput, hash, StringComparison.OrdinalIgnoreCase) == 0;
}
This is example of inserting password in encoded form.
all very nice but I don’t want to hash the password – I want it raw.
Too late now I have added my own code and field to the table to fix it
The password is saved in the table in an encrypted form that can be decrypted as and when required.
all very nice but I don’t want to hash the password – I want it raw.
Too late now I have added my own code and field to the table to fix it
The password is saved in the table in an encrypted form that can be decrypted as and when required.
- You must be logged in to reply to this topic.