galvin Posted July 9, 2009 Share Posted July 9, 2009 I have passwords stored in sha1 format from last year (a football pool I did). I want to invite everyone back from last year and would like to just keep their same password from last year. I forget mine, so they probably forget theirs. How can I decrypt the sha1 format to see what the actual password is? Here is the simply query which currently brings back all the sha1 encrypted passwords, so I image there is some easy function I can add to "$info['hashed_password']" to decrypt them. Anyone?... $query = "SELECT username, hashed_password, firstname, lastname, email FROM users"; $result = mysql_query($query, $connection); if (!$result) { die("Database query failed: " . mysql_error()); } else { while ($info = mysql_fetch_array($result)) { echo $info['hashed_password'] . "<br>"; } } Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/ Share on other sites More sharing options...
seventheyejosh Posted July 9, 2009 Share Posted July 9, 2009 I dun think that is possible. Isnt that just a hash? I think there was a thread here the other day with some dude insisting you could decode them... Anyway, if you have the db info, why not just reassign everyone random passwords, then email them an invitation with their new pass in it? just create a temp_pass field and when they log in for the first time, prompt them to change it. I'm sure it wont be that big of a deal for them. Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-872394 Share on other sites More sharing options...
PFMaBiSmAd Posted July 9, 2009 Share Posted July 9, 2009 sha1 is not an encryption algorithm, so it is not possible to decrypt it. As seventheyejosh just stated, it is a hash (checksum.) And it is one-way and cannot be undone. Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-872395 Share on other sites More sharing options...
seventheyejosh Posted July 9, 2009 Share Posted July 9, 2009 @PFMaBiSmAd do you remember the post i was talking about? i read all like 9 pages of it at 3am.. it was rather amusing, daniel0 was trying to convince some guy that u cant decrypt md5 Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-872396 Share on other sites More sharing options...
galvin Posted July 9, 2009 Author Share Posted July 9, 2009 Ahh ok. Is md5 also a hash? If a website stores a password a encrypts it first, how does it decrypt it when people click "I forgot my password?" I guess they arent using "hash" then? -Newbie (could you tell ) Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-872397 Share on other sites More sharing options...
joel24 Posted July 9, 2009 Share Posted July 9, 2009 if you want the ability to decrypt/encrypt them, next time use mysql's AES_ENCRYPT() function. http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-872399 Share on other sites More sharing options...
seventheyejosh Posted July 9, 2009 Share Posted July 9, 2009 you can store an unencrypted version on your server and email it them if, say a secret answer matches. Or if the secret answer matches, just mail them a random one, or a confirmation link, and prompt them to change it on their first log in. The latter 2 are more secure, i believe. Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-872403 Share on other sites More sharing options...
cunoodle2 Posted July 10, 2009 Share Posted July 10, 2009 Just assign new passwords. You'll save tons of time. I too remember that 9 page thread. It was absolutely insane!! Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-872411 Share on other sites More sharing options...
seventheyejosh Posted July 10, 2009 Share Posted July 10, 2009 found it http://www.phpfreaks.com/forums/index.php/topic,254277.0.html Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-872425 Share on other sites More sharing options...
Philip Posted July 10, 2009 Share Posted July 10, 2009 you can store an unencrypted version on your server and email it them if, say a secret answer matches. Or if the secret answer matches, just mail them a random one, or a confirmation link, and prompt them to change it on their first log in. The latter 2 are more secure, i believe. Not the best of security practices right there, unless you can be sure to secure your db. cunoodle2 hit the spot, just create them a temporary password, and they can change it once they login with the temp pass. Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-872429 Share on other sites More sharing options...
galvin Posted July 10, 2009 Author Share Posted July 10, 2009 ok, thanks for the info everyone! Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-872431 Share on other sites More sharing options...
Guest Posted October 8, 2013 Share Posted October 8, 2013 (edited) There is not really a possibility to reverse password hashing with sha-algorythms. Of course you can still try to bruteforce them, or use a server as p.e. hashhunters.net Edited October 8, 2013 by danielsun174 Quote Link to comment https://forums.phpfreaks.com/topic/165417-solved-decrypt-sha1-passwords/#findComment-1453080 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.