02-14-2010, 06:30 PM
02-15-2010, 02:18 AM
Why would you want to for any reason apart from malicious?
I mean there is a great password reset option built into MyBB
Finally i think you certainly could go into the database and find out if you were that persistent but again i fail to see the need.
If you wanted to change there password you need only do it from ACP.
I mean there is a great password reset option built into MyBB
Finally i think you certainly could go into the database and find out if you were that persistent but again i fail to see the need.
If you wanted to change there password you need only do it from ACP.
02-15-2010, 05:07 AM
I don't see how this helped my question.
02-15-2010, 05:15 AM
(02-15-2010, 05:07 AM)iGirls Wrote: [ -> ]I don't see how this helped my question.
Cheeky azzhole. I did actually answer your question.
It can be done. Obviously not by you though.
Now if you read the rules here i believe there is no hacking allowed here and what you want to do is simply stupid unless there was other motives, namely hacking.
Sorry if you dont like my answer but personally i dont care a f uck.
02-15-2010, 08:06 AM
MyBB have special way of encrypting and decrypting passwords.
It is not only md5 way.
I can easily crack password and get md5 format.
I did cracked vbulletin's password method for my project.
It is not only md5 way.
I can easily crack password and get md5 format.
I did cracked vbulletin's password method for my project.
02-15-2010, 10:55 AM
The whole point of it being encrypted is so that you can't just look in the database and decrypt it. This is how it's encrypted.
$salt = 8 random characters.
$hashed_salt = md5($salt)
$hashed_pass = md5($plaintext_password)
So now you have two md5 hashes.
Joins those together, so a 64 character hash, and then md5s that, and stores that in the password field.
So it's this:
$pass = md5(md5($salt).md5($plaintext_password))
Good luck trying to find the plaintext password with that password string and the salt. You'll need one hell of a rainbow table. If it needs resetting, apart from using the ACP, you can leave the salt blank and put a standard md5 into the password field, say the md5 of test, then login with test.
$salt = 8 random characters.
$hashed_salt = md5($salt)
$hashed_pass = md5($plaintext_password)
So now you have two md5 hashes.
Joins those together, so a 64 character hash, and then md5s that, and stores that in the password field.
So it's this:
$pass = md5(md5($salt).md5($plaintext_password))
Good luck trying to find the plaintext password with that password string and the salt. You'll need one hell of a rainbow table. If it needs resetting, apart from using the ACP, you can leave the salt blank and put a standard md5 into the password field, say the md5 of test, then login with test.
02-20-2010, 06:48 AM
MattR have good point about cracking md5 passwords.
you could use milw0rm.com password cracking section.
I'm sure that it is possible to make a plugin to store a password in plain text for each of member and save it in new column in mysql table. It is really risky to save passwords in plain text.
you could use milw0rm.com password cracking section.
I'm sure that it is possible to make a plugin to store a password in plain text for each of member and save it in new column in mysql table. It is really risky to save passwords in plain text.
02-25-2010, 04:56 AM
MyBB passwords are hashed, a hash is a one way encryption so theoretically the password cannot be recovered (and for good reason). You can use comparison tables such as the one on millw0rm but you have to remember that MyBB uses quite a complex salt (a prefix to the password that changes the hash substantially) so the chances of successfully using this technique is very slim.
When someone enters their password to log in the inputted password is hashed then compared to the stored password hash. At no time (apart from the initial hashing process) does MyBB process un-hashed passwords (ie. MyBB does not and cannot decrypt the password encryption).
Honestly though, if the user values the convenience of being told their password over proper encryption of their password then they are a fool. Just tell them to use the password reset function to issue them with a new password.
When someone enters their password to log in the inputted password is hashed then compared to the stored password hash. At no time (apart from the initial hashing process) does MyBB process un-hashed passwords (ie. MyBB does not and cannot decrypt the password encryption).
Honestly though, if the user values the convenience of being told their password over proper encryption of their password then they are a fool. Just tell them to use the password reset function to issue them with a new password.