Jump to content

Archived

This topic is now archived and is closed to further replies.

galvin

[SOLVED] Decrypt sha1 passwords?

Recommended Posts

I have passwords stored in sha1 format from last year (a football pool I did). I want to invite everyone back from last year and would like to just keep their same password from last year.  I forget mine, so they probably forget theirs.  How can I decrypt the sha1 format to see what the actual password is?  Here is the simply query which currently brings back all the sha1 encrypted passwords, so I image there is some easy function I can add to "$info['hashed_password']" to decrypt them. Anyone?...

 

	$query = "SELECT username, hashed_password, firstname, lastname, email FROM users";
			$result = mysql_query($query, $connection);
			if (!$result) {
			die("Database query failed: " . mysql_error());
			} else {

				while ($info = mysql_fetch_array($result)) {

				echo $info['hashed_password'] . "<br>";
				}

			}

Share this post


Link to post
Share on other sites

I dun think that is possible. Isnt that just a hash? I think there was a thread here the other day with some dude insisting you could decode them...

 

Anyway, if you have the db info, why not just reassign everyone random passwords, then email them an invitation with their new pass in it?

 

just create a temp_pass field and when they log in for the first time, prompt them to change it.

 

I'm sure it wont be that big of a deal for them.

Share this post


Link to post
Share on other sites

sha1 is not an encryption algorithm, so it is not possible to decrypt it. As seventheyejosh just stated, it is a hash (checksum.) And it is one-way and cannot be undone.

Share this post


Link to post
Share on other sites

@PFMaBiSmAd

 

do you remember the post i was talking about? i read all like 9 pages of it at 3am.. it was rather amusing, daniel0 was trying to convince some guy that u cant decrypt md5

 

:D

Share this post


Link to post
Share on other sites

Ahh ok.  Is md5 also a hash?  If a website stores a password a encrypts it first, how does it decrypt it when people click "I forgot my password?"  I guess they arent using "hash" then?

-Newbie (could you tell :) )

Share this post


Link to post
Share on other sites

you can store an unencrypted version on your server and email it them if, say a secret answer matches. Or if the secret answer matches, just mail them a random one, or a confirmation link, and prompt them to change it on their first log in. The latter 2 are more secure, i believe.

Share this post


Link to post
Share on other sites

Just assign new passwords.  You'll save tons of time.  I too remember that 9 page thread.  It was absolutely insane!!

Share this post


Link to post
Share on other sites

you can store an unencrypted version on your server and email it them if, say a secret answer matches. Or if the secret answer matches, just mail them a random one, or a confirmation link, and prompt them to change it on their first log in. The latter 2 are more secure, i believe.

 

Not the best of security practices right there, unless you can be sure to secure your db.

 

cunoodle2 hit the spot, just create them a temporary password, and they can change it once they login with the temp pass.

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.