Results 1 to 7 of 7
  1. #1
    Join Date
    Feb 2003
    Location
    AR
    Posts
    2,382

    Need some help decoding (If possible)

    Odd story I've got here. I have a new client who had a script written in (or around) 2005 by someone else. Client recently experienced data loss of ALL of their website files and recent database dumps. The most recent dump they have is from mid-2008, and I've been tasked with rewriting the script from scratch around this database.

    The passwords in this dump appear to be a simple HEX encoding, but so far I've been unable to figure out exactly how to reverse them (I want to reverse them so that I can store them as SHA-1). Client doesn't want to reset the users' passwords, which is why I'm trying to go about it this way. I'm hoping someone will be able to take a look and figure out exactly what's going on...

    A couple of examples are here:

    0068102b7f6b3d9c
    6327ff773af534c3

    There are a little over 200K registered users at this website, so I understand the client's concern on generating new passwords for everyone.

    I'm hoping someone can help me out here, but if not, I guess everyone is getting a new password

  2. #2
    Join Date
    Feb 2003
    Location
    AR
    Posts
    2,382
    It just occurred to me that those hashes look a lot like ones generated by old verions of mysql's password() function, which, as far as I can remember, are irreversible.

    Unless someone gives me some information to the contrary, it looks like everyone is getting new passwords

  3. #3
    Join Date
    May 2009
    Posts
    766
    All you really need is the original algorithm to convert plain-text password to the encrypted password...doesn't matter if encryption is destructive or not. If you can get a known password (ie your client's password) you can test different algorithms until you figure out what's in the special sauce--perhaps the original developer would be available to help, or left other scripts laying around that probably use the same encryption scheme.

    Then, when any other user enters a password, if it validates you can convert it to SHA1.

  4. #4
    Join Date
    Feb 2003
    Location
    AR
    Posts
    2,382
    I was just sent another database dump from the client, and sure enough, the passwords are being stored with mysql's password() function.

    So we'll just check the password when users log in, do the conversion and update the table...

  5. #5
    Join Date
    Aug 2007
    Location
    Brighton, UK
    Posts
    66
    It is very unlikely that you will be able to recover the original password from a password hash. Password hashes are different from encryption - encryption is normally bi-directional; in other words, once something has been encrypted it can then be decrypted and the original data restored.
    Password hashes don't work like that -- when we store a password, we don't need to be able to recover the original password, all we need to be able to do is check any password the user enters to ensure it matches the one that's stored. A hash is a one-way algorithm, and what that means is that given the same input data the hash will produce the same output - so you can use this to compare a password against the one on file to see if it's the same, however - there's no way to go from the hash back to the original password - short of using a brute-force password cracker.

    Password crackers work by having a massive list of possible passwords - they then go through each one on the list and hash it, then they compare the hash against the stored one and if it matches, we know we have the right password. Unfortunately this only works if the password was on the original list - the size of the list then becomes a compromise - the longer the word list, the more time the crack takes, but the higher the probability of you recovering the password.

  6. #6
    Join Date
    Feb 2003
    Location
    AR
    Posts
    2,382
    Thank you, but I'm well aware of how hashes work. When I originally saw the passwords, I thought that perhaps they had been generated using some sort of custom algorithm, which is why I was looking for help. If you see my follow-up post, however, you'll notice that I figured out how they were generated, and accepted the fact that we would not be decoding them.

  7. #7
    Join Date
    Aug 2007
    Location
    Brighton, UK
    Posts
    66
    Sure, just figured I'd give a more full explanation for anyone reading who may not be aware of the differences between password hashing and encryption.

Similar Threads

  1. decoding javascripts?
    By jjk2 in forum Programming Discussion
    Replies: 3
    Last Post: 05-28-2008, 07:30 PM
  2. Character decoding, anyone help?
    By whmcsguru in forum Programming Discussion
    Replies: 2
    Last Post: 09-01-2006, 05:49 AM
  3. ASP Decoding.. Help me pleaseeee!
    By dpny in forum Programming Discussion
    Replies: 0
    Last Post: 07-29-2005, 05:14 PM
  4. decoding attachements?
    By acctman in forum Programming Discussion
    Replies: 3
    Last Post: 01-21-2005, 04:43 AM
  5. PHP Mime decoding help
    By aah-jim in forum Programming Discussion
    Replies: 6
    Last Post: 09-21-2003, 09:20 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •