Page 1 of 2

How to get a user's password?

Posted: Sat Dec 03, 2005 9:08 pm
by DCR
I am prety new to phpBB, but I would like to know how I could learn a specific user's password? I am the admin, and can make changes to the user's account, but I can view the existing password, all I see is something like "*****".

Thanks, and any help is appreciated.

Re: How to get a user's password?

Posted: Sat Dec 03, 2005 9:13 pm
by jwunderly
DCR wrote: I am prety new to phpBB, but I would like to know how I could learn a specific user's password? I am the admin, and can make changes to the user's account, but I can view the existing password, all I see is something like "*****".


In all practicality, you can't get it, as the MD5 hashing routine used to generate the value you see is not reversible.

Posted: Sat Dec 03, 2005 9:14 pm
by A_Jelly_Doughnut
Basically, you can't. phpBB doesn't store passwords in plain text for security reasons, and the passwords in the database are hashed by md5, which is one-way.

Posted: Sat Dec 03, 2005 9:15 pm
by jwunderly
A_Jelly_Doughnut wrote: Basically, you can't. phpBB doesn't store passwords in plain text for security reasons, and the passwords in the database are hashed by md5, which is one-way.


a minute late and a penny short .... :P

Posted: Sat Dec 03, 2005 9:28 pm
by rs-bhe.com
You could reset the password for them, if you have a way outside of the forum of letting them know what you're resetting it to.

Posted: Fri Dec 09, 2005 12:48 am
by mm3guy
theres a 20 percent chance that the hash will be here

Note: Please do not use the link I gave you for damaging purposes

Posted: Fri Dec 09, 2005 3:10 am
by shiner
Board sends an email to every new registered user and this email contains the password and user id of new registered user. After some modification you also can get the same email in your mail box.

Posted: Fri Dec 09, 2005 3:49 am
by Lumpy Burgertushie
why go through all this, the board has a builtin way to reset the password. there is no valid reason for the admin or anyone else to be able to get anyone's password.

robert

Posted: Sat Dec 02, 2006 5:56 pm
by KyferEz
Lumpy Burgertushie wrote: why go through all this, the board has a builtin way to reset the password. there is no valid reason for the admin or anyone else to be able to get anyone's password.

robert
Yes there is. When a spammer is attacking a forum, and you want all the information on that spammer possible, that is a very valid reason to want their password. That said, is there ANY MOD that replaces the md5 password hash with reversible encryption? If not, I think one needs to exist.

Posted: Sat Dec 02, 2006 5:59 pm
by KevC
Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.

Posted: Sat Dec 02, 2006 6:05 pm
by KyferEz
Kevin Clark wrote: Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.
Yes, I can, depending upon the spammer. And, I didn't ask if MD5 could be decrypted. I asked if a MOD would REPLACE the MD5 hash with a reversible encryption. So that the passwords would be stored NOT using MD5, but using a reversible encryption. So the forum would no longer use MD5.

Posted: Sat Dec 02, 2006 6:08 pm
by Lumpy Burgertushie
KyferEz wrote:
Kevin Clark wrote:Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.
Yes, I can, depending upon the spammer. And, I didn't ask if MD5 could be decrypted. I asked if a MOD would REPLACE the MD5 hash with a reversible encryption. So that the passwords would be stored NOT using MD5, but using a reversible encryption. So the forum would no longer use MD5.


well, anything is possible, but you will not find it here. why would anyone want to reduce the security of the phpbb script by doing that?

and no, you cant. just knowing someone's password tells you nothing about them that you don't already know from other bits of information.

also, the spammers are usually bots, they use a different username/password/IP for each time they register, and for each different board, etc, etc.

they are just scripts that run all through the internet attacking phpbb and other boards.

luck,
robert

Posted: Sat Dec 02, 2006 6:11 pm
by KevC
KyferEz wrote:
Kevin Clark wrote:Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.
Yes, I can, depending upon the spammer.

So would you like to share that?
And, I didn't ask if MD5 could be decrypted. I asked if a MOD would REPLACE the MD5 hash with a reversible encryption. So that the passwords would be stored NOT using MD5, but using a reversible encryption. So the forum would no longer use MD5.

Sounds risky from a security point of view.

Posted: Sat Dec 02, 2006 6:20 pm
by KyferEz
Lumpy Burgertushie wrote: and no, you cant. just knowing someone's password tells you nothing about them that you don't already know from other bits of information.

also, the spammers are usually bots, they use a different username/password/IP for each time they register, and for each different board, etc, etc.

luck,
robert
This is true when it is a bot. However, when you run a spam fighting forums as I do, they manually attack as well. This is when having their password can pay off. Spammers have proven to be quite stupid, and often make mistakes during their spam runs. When they make a mistake on my forums and use a password that they use elsewhere, I want to be able to get at it and use it against them.

Just within this last week, members on our forums have taken down over 1000 spam sites. Other members have helped by submitting fake orders to the spam sites so they have a difficult time distinguishing real orders from fake (advantageous because the spammers don't ship anything - they use the order info for identity theft).

I think being able to get their passwords could help us just a bit more.

KyferEZ

Posted: Sat Dec 02, 2006 6:21 pm
by bronxgodzilla
KyferEz wrote:
Kevin Clark wrote:Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.
Yes, I can, depending upon the spammer. And, I didn't ask if MD5 could be decrypted. I asked if a MOD would REPLACE the MD5 hash with a reversible encryption. So that the passwords would be stored NOT using MD5, but using a reversible encryption. So the forum would no longer use MD5.


Thank you KyferEz for being precise and practical. Would your proposed Mod's algorthyms also serve to recognize patterns of certain spammers, of/to which you were previously alluding ? Very interesting. This little ditty alone could have wide-range applications for everyone. -- and make you rich :-)