Jump to content

[SOLVED] Decrypt sha1 passwords?


galvin

Recommended Posts

I have passwords stored in sha1 format from last year (a football pool I did). I want to invite everyone back from last year and would like to just keep their same password from last year.  I forget mine, so they probably forget theirs.  How can I decrypt the sha1 format to see what the actual password is?  Here is the simply query which currently brings back all the sha1 encrypted passwords, so I image there is some easy function I can add to "$info['hashed_password']" to decrypt them. Anyone?...

 

	$query = "SELECT username, hashed_password, firstname, lastname, email FROM users";
			$result = mysql_query($query, $connection);
			if (!$result) {
			die("Database query failed: " . mysql_error());
			} else {

				while ($info = mysql_fetch_array($result)) {

				echo $info['hashed_password'] . "<br>";
				}

			}

Link to comment
Share on other sites

I dun think that is possible. Isnt that just a hash? I think there was a thread here the other day with some dude insisting you could decode them...

 

Anyway, if you have the db info, why not just reassign everyone random passwords, then email them an invitation with their new pass in it?

 

just create a temp_pass field and when they log in for the first time, prompt them to change it.

 

I'm sure it wont be that big of a deal for them.

Link to comment
Share on other sites

Ahh ok.  Is md5 also a hash?  If a website stores a password a encrypts it first, how does it decrypt it when people click "I forgot my password?"  I guess they arent using "hash" then?

-Newbie (could you tell :) )

Link to comment
Share on other sites

you can store an unencrypted version on your server and email it them if, say a secret answer matches. Or if the secret answer matches, just mail them a random one, or a confirmation link, and prompt them to change it on their first log in. The latter 2 are more secure, i believe.

Link to comment
Share on other sites

you can store an unencrypted version on your server and email it them if, say a secret answer matches. Or if the secret answer matches, just mail them a random one, or a confirmation link, and prompt them to change it on their first log in. The latter 2 are more secure, i believe.

 

Not the best of security practices right there, unless you can be sure to secure your db.

 

cunoodle2 hit the spot, just create them a temporary password, and they can change it once they login with the temp pass.

Link to comment
Share on other sites

  • 4 years later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.