Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 11 Mar 2009, 06:34
Alexey™ Alexey™ is offline
 
Join Date: Oct 2008
Real name: Alexey
Is there anyway to see password of users?

Is there any hack that i can see users password? not log into them just to see passwords?
Reply With Quote
  #2  
Old 11 Mar 2009, 07:32
BSMedia BSMedia is offline
 
Join Date: Feb 2009
Not unless you have a super computer and a lot of free time with some luck mixed in.

Its my understanding that they are double md5'd with a unique salt per user to prevent such trickery, though i'm not certain if thats the case or not.
Reply With Quote
  #3  
Old 11 Mar 2009, 08:16
Alexey™ Alexey™ is offline
 
Join Date: Oct 2008
Real name: Alexey
and there is no modification for this?
Reply With Quote
  #4  
Old 11 Mar 2009, 09:08
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
No. There's no modification for this. Because the passwords aren't store as "plain text". Passwords are stored as encrypted text with a method of encryption called "MD5". MD5 is known as an irreversable encryption. Basically, there is no way to decrypt it. A sort of "separate the lock from the key" approach toward encryption. Very much NOT useful for encrypting documents of any kind, but VERY useful for passwords.

Take for example, the word "password". It is hashed out into a 32 character value through the MD5 function and becomes...

5f4dcc3b5aa765d61d8327deb882cf99

vBulletin adds more security through obscurity to that! It then takes this 32 character value and adds a randomized salt (which is stored in the database for every user) to the end... A salt is a 3 or 4 character set of randomized symbols that looks like

=!q
4g*

so you get

5f4dcc3b5aa765d61d8327deb882cf994g*

It then hashes the MD5 of that whole mess to result in and even more irreversable string which is stored in the database as the user's password.

9a345e5cf815ea1c9b3f88296f7eef78


When the user enters their password, it is hashed, then salted, and hashed again - and it checks to see if that garbledegook matches the garbledegook in the database.

Put simply, it is impossible to get someone's password with a mere mod. That's what BSMedia was talking about - you can use a super computer that's constantly calculating and hashing dictionary values over a few dozen/hundred years until it finds a match - but this is a highly inefficient means of doing so.

I suppose one could also alter the login.php file to steal the password before it is hashed and either store it in the database or have it sent somewhere - but this would instantly be broken the moment they upgraded the board.






Either way, stealing your members' passwords like that is really dishonest and is a violation of computer ethics.
__________________
~TigerC10~
Reply With Quote
  #5  
Old 11 Mar 2009, 09:18
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Its not encryption, its hashing.
__________________
Looking for ImpEx?
Reply With Quote
  #6  
Old 11 Mar 2009, 09:32
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
Originally Posted by Zachery View Post
Its not encryption, its hashing.
Yes, yes... And I'm aware that Darth Vader never said, "Luke, I am your father" and that Captain Kirk never said, "Beam me up, Scotty". Just pointing out that you don't need to make a one liner post that makes you sound pompous for making a distinction that nobody cares about...

The terms are not mutually exclusive. Hashing is a form of encryption, a very specific form. It takes a variable length set of data (binary or text) and then spits out a fixed length known type (either binary or text - not both). Encryption is a broad scope term that means it takes one thing and turns it into another thing. Encryption can be reversable, or in some cases it's not. Either way, you're still turning one thing into another thing.
__________________
~TigerC10~
Reply With Quote
  #7  
Old 11 Mar 2009, 09:52
dismas's Avatar
dismas dismas is offline
 
Join Date: Jun 2007
There was a thread about this a little while back.
__________________
"Not all those who wander are lost" - J.R.R. Tolkien
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Password Forums all Users (vb3.5) Zachariah vBulletin 3.5 Add-ons 15 13 Oct 2005 00:28



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 08:11.

Layout Options | Width: Wide Color: