I am working on a site that stores info via username/password. The previous programmer stored the passwords in the database but before storing them passed them through crypt()
I noticed this when I was given the task of creating a 'forgot your password?' script that would email the user the password. There are some 1000+ users now, is there any way to recover the passwords? The same salt string was used for all users and I do have that.
crypt($userspassword,'the salt string');
03-10-2003, 09:39 PM
how does the crypt function work? does it assign each letter a number e.g. a = 1 or is it more complex?
is there not a decrypt function?
surely there is a way as you must be able to sure a list of usernames for database admin purposes.
crypt is one way
the only way you are going to get around the 'forgot password' doodar is by generating a new one yourself, updating the db with the encrypted value and sending the non encrypted version to the relevent email address.
that also assures that their email address is still valid.
they could then use that new password to change it again using an online form.
Okii, that is what is being done currently, that plus a harvester I made that stores the pw in another field as each person logs in, but with this many users it could take months to regain all the passes. I would much prefer a function to anti-salt-crypt them...
I had the same problem. But to my amazement, I came up with a solution in seconds.
I had to make a new system for the same site, where people had the option of 'upgrading' their old account. But to upgrade account, you need the old password. So I had this problem of how I was going to check the pass.
I just say $blah = crypt(user input) and then if $blah == stored data then user input is the correct password.
But forgot password? I know its possible because I did it ages ago, and uses the process I have explained above without user-input. I forgot how to do it, so Im just here to boost up your confidence and let you know that it is possible.
You'll need it
03-11-2003, 02:38 PM
Bawy, if it would be possible to decrypt a salted and crpyt()ed password with a simple function, crypt() would be very pointless, wouldn't it? It's a one-way encryption like md5, and if there were a decrypting function... *shudder*
quoted from http://www.php.net/manual/en/function.crypt.php :
Note: There is no decrypt function, since crypt() uses a one-way algorithm.
Why do you need the user passwords in plain text anyway?
Morded, I did see that on php.net and you are correct about the pointlessness, but unfortunitly that still does not help my situation. If a user forgot their pass and cannot login I cannot email them their password. The best solution I have come up with is to generate a new one and email them that pass, afterwhich they can reset it to a pass of their choice. But problems can arise if someone (maliciously or unintentionally by coincidental typeo) enters another person's email address and resets their password. The real user will not be able to login until they check their email and see the notice of the reset pass.
Jesh, thanks, but I do not think you understand my dilema exactly. Users that know their pass can login fine, actually with exactly the logic you posted about crypt(userinput)==pass.
I would like to be able to get their current passes stored in plain text and I do not have the convenience to request all users login and change their pass (where I could capture it.)
03-12-2003, 03:49 AM
"But problems can arise if someone (maliciously or unintentionally by coincidental typeo) enters another person's email address and resets their password"
the general take on this is if a user wants to reset their password , they enter their email address , if this email address exists you send a conformation message to that email address which will include a link back to your page with a uniqueID which you will have made a copy of in your DB/flatfile when the user first requested the change.
if these match then and only then allow them to change the password.
pain the nether regions I know but effective.
the only way to retrieve the existing passwords is to get a wordlist or 2 and brute force the passwords!