How to get a user's password?

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
DCR
Registered User
Posts: 1
Joined: Sat Dec 03, 2005 8:59 pm

How to get a user's password?

Post by DCR » Sat Dec 03, 2005 9:08 pm

I am prety new to phpBB, but I would like to know how I could learn a specific user's password? I am the admin, and can make changes to the user's account, but I can view the existing password, all I see is something like "*****".

Thanks, and any help is appreciated.

User avatar
jwunderly
Registered User
Posts: 5740
Joined: Sun Mar 30, 2003 2:18 pm
Location: Easton, PA (in the groove)

Re: How to get a user's password?

Post by jwunderly » Sat Dec 03, 2005 9:13 pm

DCR wrote: I am prety new to phpBB, but I would like to know how I could learn a specific user's password? I am the admin, and can make changes to the user's account, but I can view the existing password, all I see is something like "*****".


In all practicality, you can't get it, as the MD5 hashing routine used to generate the value you see is not reversible.
John (A cranky old man. "Looking for an echo ...")
using any control-panel install/update is like shooting yourself in the foot. It won't kill you, but you're really going to hobble around until it heals.
Using the wrong tools (Front Page, DreamWeaver) gives the same results
Do not PM me for Support!

User avatar
A_Jelly_Doughnut
Former Team Member
Posts: 34457
Joined: Sat Jan 18, 2003 1:26 am
Location: Where the Rivers Run
Contact:

Post by A_Jelly_Doughnut » Sat Dec 03, 2005 9:14 pm

Basically, you can't. phpBB doesn't store passwords in plain text for security reasons, and the passwords in the database are hashed by md5, which is one-way.
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish

User avatar
jwunderly
Registered User
Posts: 5740
Joined: Sun Mar 30, 2003 2:18 pm
Location: Easton, PA (in the groove)

Post by jwunderly » Sat Dec 03, 2005 9:15 pm

A_Jelly_Doughnut wrote: Basically, you can't. phpBB doesn't store passwords in plain text for security reasons, and the passwords in the database are hashed by md5, which is one-way.


a minute late and a penny short .... :P
John (A cranky old man. "Looking for an echo ...")
using any control-panel install/update is like shooting yourself in the foot. It won't kill you, but you're really going to hobble around until it heals.
Using the wrong tools (Front Page, DreamWeaver) gives the same results
Do not PM me for Support!

rs-bhe.com
Registered User
Posts: 320
Joined: Fri Dec 02, 2005 9:35 pm
Contact:

Post by rs-bhe.com » Sat Dec 03, 2005 9:28 pm

You could reset the password for them, if you have a way outside of the forum of letting them know what you're resetting it to.

mm3guy
Registered User
Posts: 197
Joined: Tue Oct 14, 2003 8:13 pm

Post by mm3guy » Fri Dec 09, 2005 12:48 am

theres a 20 percent chance that the hash will be here

Note: Please do not use the link I gave you for damaging purposes
[-INSERT COOL SIG HERE-]

shiner
Registered User
Posts: 370
Joined: Wed Mar 09, 2005 11:58 pm

Post by shiner » Fri Dec 09, 2005 3:10 am

Board sends an email to every new registered user and this email contains the password and user id of new registered user. After some modification you also can get the same email in your mail box.
Last edited by shiner on Fri Dec 09, 2005 9:05 pm, edited 1 time in total.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66490
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie » Fri Dec 09, 2005 3:49 am

why go through all this, the board has a builtin way to reset the password. there is no valid reason for the admin or anyone else to be able to get anyone's password.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

KyferEz
Registered User
Posts: 20
Joined: Tue Jun 28, 2005 7:40 pm
Contact:

Post by KyferEz » Sat Dec 02, 2006 5:56 pm

Lumpy Burgertushie wrote: why go through all this, the board has a builtin way to reset the password. there is no valid reason for the admin or anyone else to be able to get anyone's password.

robert
Yes there is. When a spammer is attacking a forum, and you want all the information on that spammer possible, that is a very valid reason to want their password. That said, is there ANY MOD that replaces the md5 password hash with reversible encryption? If not, I think one needs to exist.

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69239
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Post by KevC » Sat Dec 02, 2006 5:59 pm

Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

KyferEz
Registered User
Posts: 20
Joined: Tue Jun 28, 2005 7:40 pm
Contact:

Post by KyferEz » Sat Dec 02, 2006 6:05 pm

Kevin Clark wrote: Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.
Yes, I can, depending upon the spammer. And, I didn't ask if MD5 could be decrypted. I asked if a MOD would REPLACE the MD5 hash with a reversible encryption. So that the passwords would be stored NOT using MD5, but using a reversible encryption. So the forum would no longer use MD5.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66490
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie » Sat Dec 02, 2006 6:08 pm

KyferEz wrote:
Kevin Clark wrote:Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.
Yes, I can, depending upon the spammer. And, I didn't ask if MD5 could be decrypted. I asked if a MOD would REPLACE the MD5 hash with a reversible encryption. So that the passwords would be stored NOT using MD5, but using a reversible encryption. So the forum would no longer use MD5.


well, anything is possible, but you will not find it here. why would anyone want to reduce the security of the phpbb script by doing that?

and no, you cant. just knowing someone's password tells you nothing about them that you don't already know from other bits of information.

also, the spammers are usually bots, they use a different username/password/IP for each time they register, and for each different board, etc, etc.

they are just scripts that run all through the internet attacking phpbb and other boards.

luck,
robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69239
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Post by KevC » Sat Dec 02, 2006 6:11 pm

KyferEz wrote:
Kevin Clark wrote:Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.
Yes, I can, depending upon the spammer.

So would you like to share that?
And, I didn't ask if MD5 could be decrypted. I asked if a MOD would REPLACE the MD5 hash with a reversible encryption. So that the passwords would be stored NOT using MD5, but using a reversible encryption. So the forum would no longer use MD5.

Sounds risky from a security point of view.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

KyferEz
Registered User
Posts: 20
Joined: Tue Jun 28, 2005 7:40 pm
Contact:

Post by KyferEz » Sat Dec 02, 2006 6:20 pm

Lumpy Burgertushie wrote: and no, you cant. just knowing someone's password tells you nothing about them that you don't already know from other bits of information.

also, the spammers are usually bots, they use a different username/password/IP for each time they register, and for each different board, etc, etc.

luck,
robert
This is true when it is a bot. However, when you run a spam fighting forums as I do, they manually attack as well. This is when having their password can pay off. Spammers have proven to be quite stupid, and often make mistakes during their spam runs. When they make a mistake on my forums and use a password that they use elsewhere, I want to be able to get at it and use it against them.

Just within this last week, members on our forums have taken down over 1000 spam sites. Other members have helped by submitting fake orders to the spam sites so they have a difficult time distinguishing real orders from fake (advantageous because the spammers don't ship anything - they use the order info for identity theft).

I think being able to get their passwords could help us just a bit more.

KyferEZ
TheCarPCStore.com Forums - Get help with your CarPC
Electronics Calculators and other useful data
----------------
Kill Spammers - Spam Fighter's Forums <-- DDoSed by spammers from Aug 27, 07 to Sept 10, 07

bronxgodzilla
Registered User
Posts: 65
Joined: Sun Jul 23, 2006 9:38 am
Contact:

Post by bronxgodzilla » Sat Dec 02, 2006 6:21 pm

KyferEz wrote:
Kevin Clark wrote:Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.
Yes, I can, depending upon the spammer. And, I didn't ask if MD5 could be decrypted. I asked if a MOD would REPLACE the MD5 hash with a reversible encryption. So that the passwords would be stored NOT using MD5, but using a reversible encryption. So the forum would no longer use MD5.


Thank you KyferEz for being precise and practical. Would your proposed Mod's algorthyms also serve to recognize patterns of certain spammers, of/to which you were previously alluding ? Very interesting. This little ditty alone could have wide-range applications for everyone. -- and make you rich :-)

Locked

Return to “2.0.x Support Forum”