...

View Full Version : Encrypted Passwords in MySQL



dniwebdesign
12-30-2003, 10:40 PM
I have a forums script on a website. (Inivsion Board to be exact). Of course all the passwords are encrypted but I would like it so I can take the encrypted password and decrypt it. My admin area of my board allows me to change the password but for some users I would like to be able to view the password so if something is going on that they can't view the board I can try logging in with their username and password and see where the board is going wrong so I can fix the problem.

Is there any script that would do this?

Also is there anyway you can make a script that doesn't use the encryption method (a chat room) use the same username and password as one that does (my forums)? Thanks

Spookster
12-30-2003, 10:43 PM
The point of encrypting the password is so that nobody can decrypt it. So unless you plan on modifying InvisionBoards code and stop it from encrypting the passwords then you are pretty much out of luck.

raf
12-30-2003, 11:45 PM
Of course all the passwords are encrypted but I would like it so I can take the encrypted password and decrypt it.

Depends on the used encryptionmethod.
This is a bit academic maybe, but encrypion-methods are reversible (decryption). Hashing algoritmes are not reversable.
For passwords, you normally use a hashing algoritme. I suppose Spookster thought along these lines.

But if you realy use an encryptionmethod, then you can decrypt it again. For transfering text, you will normally use encryption (encrypted by the sender, decrypted by the receiver)


for some users I would like to be able to view the password so if something is going on that they can't view the board I can try logging in with their username and password and see where the board is going wrong so I can fix the problem.

The only extra security hashing passwords offers, is that noone with acces to the db can see an use them. That is all.
So your willing to give that up for so what ? If you can log in with your regular username and pwd, then so should the client. There is nothing much more to say about that.


Also is there anyway you can make a script that doesn't use the encryption method (a chat room) use the same username and password as one that does (my forums)?

What's the point? The user wount notice it. And your chatroom-passwordversion will then compromise your forum-password.

Spookster
12-31-2003, 12:55 AM
Originally posted by raf
I suppose Spookster thought along these lines.


Of course. It would be pointless to encrypt something using a ready made function that has also has a ready made function that is publicly available to decrypt it.

Encrypting the passwords adds another level of protection even if a hacker gets into the system. Also if anybody else has legitimate access to the server but you really don't want them looking at your users passwords then encrypting would alleviate that problem. So if you had a disgruntled ex-employee you wouldn't have to worry about them messing with your users accounts.

Nightfire
12-31-2003, 03:04 AM
Only way you're gonna do it is by asking for their username and password. No point in making them details easy to obtain by anyone.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum