Results 1 to 7 of 7
-
10-16-2009, 04:39 PM #1Web Hosting Master
- Join Date
- Feb 2003
- Location
- AR
- Posts
- 2,382
Need some help decoding (If possible)
Odd story I've got here. I have a new client who had a script written in (or around) 2005 by someone else. Client recently experienced data loss of ALL of their website files and recent database dumps. The most recent dump they have is from mid-2008, and I've been tasked with rewriting the script from scratch around this database.
The passwords in this dump appear to be a simple HEX encoding, but so far I've been unable to figure out exactly how to reverse them (I want to reverse them so that I can store them as SHA-1). Client doesn't want to reset the users' passwords, which is why I'm trying to go about it this way. I'm hoping someone will be able to take a look and figure out exactly what's going on...
A couple of examples are here:
0068102b7f6b3d9c
6327ff773af534c3
There are a little over 200K registered users at this website, so I understand the client's concern on generating new passwords for everyone.
I'm hoping someone can help me out here, but if not, I guess everyone is getting a new password
-
10-16-2009, 04:56 PM #2Web Hosting Master
- Join Date
- Feb 2003
- Location
- AR
- Posts
- 2,382
It just occurred to me that those hashes look a lot like ones generated by old verions of mysql's password() function, which, as far as I can remember, are irreversible.
Unless someone gives me some information to the contrary, it looks like everyone is getting new passwords
-
10-16-2009, 05:03 PM #3Web Hosting Master
- Join Date
- May 2009
- Posts
- 766
All you really need is the original algorithm to convert plain-text password to the encrypted password...doesn't matter if encryption is destructive or not. If you can get a known password (ie your client's password) you can test different algorithms until you figure out what's in the special sauce--perhaps the original developer would be available to help, or left other scripts laying around that probably use the same encryption scheme.
Then, when any other user enters a password, if it validates you can convert it to SHA1.
-
10-16-2009, 05:22 PM #4Web Hosting Master
- Join Date
- Feb 2003
- Location
- AR
- Posts
- 2,382
I was just sent another database dump from the client, and sure enough, the passwords are being stored with mysql's password() function.
So we'll just check the password when users log in, do the conversion and update the table...
-
10-27-2009, 07:10 AM #5Junior Guru Wannabe
- Join Date
- Aug 2007
- Location
- Brighton, UK
- Posts
- 66
It is very unlikely that you will be able to recover the original password from a password hash. Password hashes are different from encryption - encryption is normally bi-directional; in other words, once something has been encrypted it can then be decrypted and the original data restored.
Password hashes don't work like that -- when we store a password, we don't need to be able to recover the original password, all we need to be able to do is check any password the user enters to ensure it matches the one that's stored. A hash is a one-way algorithm, and what that means is that given the same input data the hash will produce the same output - so you can use this to compare a password against the one on file to see if it's the same, however - there's no way to go from the hash back to the original password - short of using a brute-force password cracker.
Password crackers work by having a massive list of possible passwords - they then go through each one on the list and hash it, then they compare the hash against the stored one and if it matches, we know we have the right password. Unfortunately this only works if the password was on the original list - the size of the list then becomes a compromise - the longer the word list, the more time the crack takes, but the higher the probability of you recovering the password.
-
10-27-2009, 09:18 AM #6Web Hosting Master
- Join Date
- Feb 2003
- Location
- AR
- Posts
- 2,382
Thank you, but I'm well aware of how hashes work. When I originally saw the passwords, I thought that perhaps they had been generated using some sort of custom algorithm, which is why I was looking for help. If you see my follow-up post, however, you'll notice that I figured out how they were generated, and accepted the fact that we would not be decoding them.
-
10-27-2009, 10:07 AM #7Junior Guru Wannabe
- Join Date
- Aug 2007
- Location
- Brighton, UK
- Posts
- 66
Sure, just figured I'd give a more full explanation for anyone reading who may not be aware of the differences between password hashing and encryption.
Similar Threads
-
decoding javascripts?
By jjk2 in forum Programming DiscussionReplies: 3Last Post: 05-28-2008, 07:30 PM -
Character decoding, anyone help?
By whmcsguru in forum Programming DiscussionReplies: 2Last Post: 09-01-2006, 05:49 AM -
ASP Decoding.. Help me pleaseeee!
By dpny in forum Programming DiscussionReplies: 0Last Post: 07-29-2005, 05:14 PM -
decoding attachements?
By acctman in forum Programming DiscussionReplies: 3Last Post: 01-21-2005, 04:43 AM -
PHP Mime decoding help
By aah-jim in forum Programming DiscussionReplies: 6Last Post: 09-21-2003, 09:20 AM