Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Sep 2002
    Location
    eNYCe
    Posts
    83
    Thanks
    0
    Thanked 0 Times in 0 Posts

    anyway to recover passwords made by crypt()???

    I am working on a site that stores info via username/password. The previous programmer stored the passwords in the database but before storing them passed them through crypt()

    I noticed this when I was given the task of creating a 'forgot your password?' script that would email the user the password. There are some 1000+ users now, is there any way to recover the passwords? The same salt string was used for all users and I do have that.

    crypt($userspassword,'the salt string');

  • #2
    Senior Coder
    Join Date
    Jun 2002
    Location
    UK
    Posts
    1,137
    Thanks
    0
    Thanked 0 Times in 0 Posts
    how does the crypt function work? does it assign each letter a number e.g. a = 1 or is it more complex?

    is there not a decrypt function?
    surely there is a way as you must be able to sure a list of usernames for database admin purposes.

    scroots
    Spammers next time you spam me consider the implications:
    (1) that you will be persuaded by me(in a legitimate mannor)
    (2)It is worthless to you, when i have finished

  • #3
    Regular Coder
    Join Date
    Jun 2002
    Location
    UK
    Posts
    577
    Thanks
    0
    Thanked 0 Times in 0 Posts
    crypt is one way

    the only way you are going to get around the 'forgot password' doodar is by generating a new one yourself, updating the db with the encrypted value and sending the non encrypted version to the relevent email address.

    that also assures that their email address is still valid.

    they could then use that new password to change it again using an online form.
    Ökii - formerly pootergeist
    teckis - take your time and it'll save you time.

  • #4
    New Coder
    Join Date
    Sep 2002
    Location
    eNYCe
    Posts
    83
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Scroots:
    php.net/crypt

    Okii, that is what is being done currently, that plus a harvester I made that stores the pw in another field as each person logs in, but with this many users it could take months to regain all the passes. I would much prefer a function to anti-salt-crypt them...

  • #5
    Registered User
    Join Date
    Feb 2003
    Posts
    43
    Thanks
    0
    Thanked 0 Times in 0 Posts

    HAHAHAHAHAH!

    I had the same problem. But to my amazement, I came up with a solution in seconds.

    I had to make a new system for the same site, where people had the option of 'upgrading' their old account. But to upgrade account, you need the old password. So I had this problem of how I was going to check the pass.

    I just say $blah = crypt(user input) and then if $blah == stored data then user input is the correct password.

    But forgot password? I know its possible because I did it ages ago, and uses the process I have explained above without user-input. I forgot how to do it, so Im just here to boost up your confidence and let you know that it is possible.

    Good Luck
    You'll need it
    :P

  • #6
    Senior Coder
    Join Date
    Jun 2002
    Location
    frankfurt, german banana republic
    Posts
    1,848
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Bawy, if it would be possible to decrypt a salted and crpyt()ed password with a simple function, crypt() would be very pointless, wouldn't it? It's a one-way encryption like md5, and if there were a decrypting function... *shudder*

    quoted from http://www.php.net/manual/en/function.crypt.php :
    Note: There is no decrypt function, since crypt() uses a one-way algorithm.
    Why do you need the user passwords in plain text anyway?

  • #7
    New Coder
    Join Date
    Sep 2002
    Location
    eNYCe
    Posts
    83
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Morded, I did see that on php.net and you are correct about the pointlessness, but unfortunitly that still does not help my situation. If a user forgot their pass and cannot login I cannot email them their password. The best solution I have come up with is to generate a new one and email them that pass, afterwhich they can reset it to a pass of their choice. But problems can arise if someone (maliciously or unintentionally by coincidental typeo) enters another person's email address and resets their password. The real user will not be able to login until they check their email and see the notice of the reset pass.

    Jesh, thanks, but I do not think you understand my dilema exactly. Users that know their pass can login fine, actually with exactly the logic you posted about crypt(userinput)==pass.

    I would like to be able to get their current passes stored in plain text and I do not have the convenience to request all users login and change their pass (where I could capture it.)

  • #8
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    "But problems can arise if someone (maliciously or unintentionally by coincidental typeo) enters another person's email address and resets their password"

    the general take on this is if a user wants to reset their password , they enter their email address , if this email address exists you send a conformation message to that email address which will include a link back to your page with a uniqueID which you will have made a copy of in your DB/flatfile when the user first requested the change.
    if these match then and only then allow them to change the password.

    pain the nether regions I know but effective.

    the only way to retrieve the existing passwords is to get a wordlist or 2 and brute force the passwords!
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •