Skip to:
Content
Pages
Categories
Search
Top
Bottom

unhashing / decrypting passwords

Viewing 18 replies - 1 through 18 (of 18 total)

  • Ashfame
    Participant

    @ashfame

    just use the md5 function while entering a value and then login once


    Ashfame
    Participant

    @ashfame

    just use the md5 function while entering a value and then login once


    Ashfame
    Participant

    @ashfame

    unhashing / decrypting is not possible, at least practically


    Ashfame
    Participant

    @ashfame

    unhashing / decrypting is not possible, at least practically


    KentonMr
    Member

    @kentonmr

    Sorry, I’m confused – either it is or isn’t.

    As the user logs on regularly to bbPress they enter their user name and their password.

    I presume that these are compared with the values in the database to enable logon. Either the given password is md5()’d or the database value is unencrypted to make this comparison.

    As I have tried md5(‘mypass’) and it does not produce the same value as in the database something fishy is going on.


    KentonMr
    Member

    @kentonmr

    Sorry, I’m confused – either it is or isn’t.

    As the user logs on regularly to bbPress they enter their user name and their password.

    I presume that these are compared with the values in the database to enable logon. Either the given password is md5()’d or the database value is unencrypted to make this comparison.

    As I have tried md5(‘mypass’) and it does not produce the same value as in the database something fishy is going on.


    KentonMr
    Member

    @kentonmr

    Perhaps the only solution to this is to replace all the hashing code and store a retrievable passford in the field.

    It is going to really upset the users having to go through registration again but it is far better getting one hit of all the frustrated users while I can blame it on the dumb software rather than being hit by the same problem time and time again as new users forget their passwords, we integrate other systems, etc.

    I still don’t get why md5(mypass) doesn’t give the same as in the database and I really cannot be bothered unraveling all the code to find out what is not obvious.


    KentonMr
    Member

    @kentonmr

    Perhaps the only solution to this is to replace all the hashing code and store a retrievable passford in the field.

    It is going to really upset the users having to go through registration again but it is far better getting one hit of all the frustrated users while I can blame it on the dumb software rather than being hit by the same problem time and time again as new users forget their passwords, we integrate other systems, etc.

    I still don’t get why md5(mypass) doesn’t give the same as in the database and I really cannot be bothered unraveling all the code to find out what is not obvious.


    zaerl
    Participant

    @zaerl

    The MD5 function (SHA, AES et similia) isn’t a encryption function but a “one-way” cryptographic hash function. An encryption function takes a plaintext (a discrete sequence of bytes), a password and encrypt the text creating another sequence of bytes called cipher text. The same function can be used (with some changes) to transform back the cipher text to plain text.

    A cryptographic hash function instead creates a checksum that is a fixed-size string. It’s obviously a one-way process and bbPress, as well as any other software the stores password, use it to check if a password is valid.

    http://en.wikipedia.org/wiki/Cryptographic_hash_function

    http://en.wikipedia.org/wiki/Cryptographic_software

    There are a lot of software that also store all the passwords (encrypted or not) in the database but it’s a potential security issue cause an attacker that gains temporary access to the data can retrieve all the passwords. In bbPress it’s “impossible.” I used the quotes cause MD5 is a very old hash function and it has been demostrated to be vulnerable to cryptanalysis.


    zaerl
    Participant

    @zaerl

    The MD5 function (SHA, AES et similia) isn’t a encryption function but a “one-way” cryptographic hash function. An encryption function takes a plaintext (a discrete sequence of bytes), a password and encrypt the text creating another sequence of bytes called cipher text. The same function can be used (with some changes) to transform back the cipher text to plain text.

    A cryptographic hash function instead creates a checksum that is a fixed-size string. It’s obviously a one-way process and bbPress, as well as any other software the stores password, use it to check if a password is valid.

    http://en.wikipedia.org/wiki/Cryptographic_hash_function

    http://en.wikipedia.org/wiki/Cryptographic_software

    There are a lot of software that also store all the passwords (encrypted or not) in the database but it’s a potential security issue cause an attacker that gains temporary access to the data can retrieve all the passwords. In bbPress it’s “impossible.” I used the quotes cause MD5 is a very old hash function and it has been demostrated to be vulnerable to cryptanalysis.


    KentonMr
    Member

    @kentonmr

    The solution will be to dig into the code, add an extra field to the table, and set this field with the real password (encrypted with a workable encryption routine) the next time a forum user logs on.

    After a reasonable length of time all users should have logged back on and an accessible copy of the password obtained.

    As said I still don’t understand why the md5(‘mypass’) does not match the one in the table – there must be a comparison made at some stage or no one would ever get logged in.


    KentonMr
    Member

    @kentonmr

    The solution will be to dig into the code, add an extra field to the table, and set this field with the real password (encrypted with a workable encryption routine) the next time a forum user logs on.

    After a reasonable length of time all users should have logged back on and an accessible copy of the password obtained.

    As said I still don’t understand why the md5(‘mypass’) does not match the one in the table – there must be a comparison made at some stage or no one would ever get logged in.


    zaerl
    Participant

    @zaerl

    As said I still don’t understand why the md5(‘mypass’) does not match the one in the table

    If you open phpmyadmin, you choose MD5 and you select a new password the you can login without problems. Once you logged in bbPress generate a salt and change the password stored in the database. See file class.passwordhash.php line 119.


    zaerl
    Participant

    @zaerl

    As said I still don’t understand why the md5(‘mypass’) does not match the one in the table

    If you open phpmyadmin, you choose MD5 and you select a new password the you can login without problems. Once you logged in bbPress generate a salt and change the password stored in the database. See file class.passwordhash.php line 119.


    ITchimes
    Member

    @itchimes

    public static bool VerifyHash(string password, string hash)

    {

    // Hash the input.

    string hashOfInput = GetHash(password);

    // Return true if they are the same

    return String.Compare(hashOfInput, hash, StringComparison.OrdinalIgnoreCase) == 0;

    }

    This is example of inserting password in encoded form.


    ITchimes
    Member

    @itchimes

    public static bool VerifyHash(string password, string hash)

    {

    // Hash the input.

    string hashOfInput = GetHash(password);

    // Return true if they are the same

    return String.Compare(hashOfInput, hash, StringComparison.OrdinalIgnoreCase) == 0;

    }

    This is example of inserting password in encoded form.


    KentonMr
    Member

    @kentonmr

    all very nice but I don’t want to hash the password – I want it raw.

    Too late now I have added my own code and field to the table to fix it

    The password is saved in the table in an encrypted form that can be decrypted as and when required.


    KentonMr
    Member

    @kentonmr

    all very nice but I don’t want to hash the password – I want it raw.

    Too late now I have added my own code and field to the table to fix it

    The password is saved in the table in an encrypted form that can be decrypted as and when required.

Viewing 18 replies - 1 through 18 (of 18 total)
  • You must be logged in to reply to this topic.
Skip to toolbar