Odd story I've got here. I have a new client who had a script written in (or around) 2005 by someone else. Client recently experienced data loss of ALL of their website files and recent database dumps. The most recent dump they have is from mid-2008, and I've been tasked with rewriting the script from scratch around this database.
The passwords in this dump appear to be a simple HEX encoding, but so far I've been unable to figure out exactly how to reverse them (I want to reverse them so that I can store them as SHA-1). Client doesn't want to reset the users' passwords, which is why I'm trying to go about it this way. I'm hoping someone will be able to take a look and figure out exactly what's going on...
A couple of examples are here:
There are a little over 200K registered users at this website, so I understand the client's concern on generating new passwords for everyone.
I'm hoping someone can help me out here, but if not, I guess everyone is getting a new password
All you really need is the original algorithm to convert plain-text password to the encrypted password...doesn't matter if encryption is destructive or not. If you can get a known password (ie your client's password) you can test different algorithms until you figure out what's in the special sauce--perhaps the original developer would be available to help, or left other scripts laying around that probably use the same encryption scheme.
Then, when any other user enters a password, if it validates you can convert it to SHA1.
It is very unlikely that you will be able to recover the original password from a password hash. Password hashes are different from encryption - encryption is normally bi-directional; in other words, once something has been encrypted it can then be decrypted and the original data restored.
Password hashes don't work like that -- when we store a password, we don't need to be able to recover the original password, all we need to be able to do is check any password the user enters to ensure it matches the one that's stored. A hash is a one-way algorithm, and what that means is that given the same input data the hash will produce the same output - so you can use this to compare a password against the one on file to see if it's the same, however - there's no way to go from the hash back to the original password - short of using a brute-force password cracker.
Password crackers work by having a massive list of possible passwords - they then go through each one on the list and hash it, then they compare the hash against the stored one and if it matches, we know we have the right password. Unfortunately this only works if the password was on the original list - the size of the list then becomes a compromise - the longer the word list, the more time the crack takes, but the higher the probability of you recovering the password.
Thank you, but I'm well aware of how hashes work. When I originally saw the passwords, I thought that perhaps they had been generated using some sort of custom algorithm, which is why I was looking for help. If you see my follow-up post, however, you'll notice that I figured out how they were generated, and accepted the fact that we would not be decoding them.