MyBB Community Forums
I can not decrypt my password. - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: 1.8 Support (https://community.mybb.com/forum-175.html)
+--- Forum: Security Management and Support (https://community.mybb.com/forum-179.html)
+--- Thread: I can not decrypt my password. (/thread-187121.html)



I can not decrypt my password. - mushface1 - 2015-12-13

I am using crackstation.net
The passwords are salted...
Any help?


RE: I can not decrypt my password. - Josh H. - 2015-12-13

Well yeah... That's intentional. It would be very poor software design to use MD5 and NOT salt the passwords.

You should never need to decrypt your password (and, to be pedantic, they're not encrypted; they're one-way hashed). If you're an admin and need to reset your password, find the password reset query in this docs section to regain access, then reset your password so that it will actually be salted and stored semi-securely.


RE: I can not decrypt my password. - Destroy666 - 2015-12-13

And what exactly is your question..? There are other tools that allow you to choose a more correct algorithm, you can use them instead, you know.

Also, since you have access to the DB, it would be smarter to just set a new password if it's really about your account...
UPDATE `mybb_users` SET `password` = '098f6bcd4621d373cade4e832627b4f6', `salt` = '' WHERE `uid` = 'X'
sets it to test, replace X with your UID.


RE: I can not decrypt my password. - mushface1 - 2015-12-14

(2015-12-13, 09:17 PM)Josh H. Wrote: Well yeah... That's intentional. It would be very poor software design to use MD5 and NOT salt the passwords.

You should never need to decrypt your password (and, to be pedantic, they're not encrypted; they're one-way hashed). If you're an admin and need to reset your password, find the password reset query in this docs section to regain access, then reset your password so that it will actually be salted and stored semi-securely.

On a forum I was on about 3 months ago, we got SQL Injected and the database was leaked... It was ok as there were only 500 members or so, but people decrypted my password... The forum used MyBB.


RE: I can not decrypt my password. - Euan T - 2015-12-14

(2015-12-14, 07:59 AM)mushface1 Wrote:
(2015-12-13, 09:17 PM)Josh H. Wrote: Well yeah... That's intentional. It would be very poor software design to use MD5 and NOT salt the passwords.

You should never need to decrypt your password (and, to be pedantic, they're not encrypted; they're one-way hashed). If you're an admin and need to reset your password, find the password reset query in this docs section to regain access, then reset your password so that it will actually be salted and stored semi-securely.

On a forum I was on about 3 months ago, we got SQL Injected and the database was leaked... It was ok as there were only 500 members or so, but people decrypted my password... The forum used MyBB.

It is possible to brute force the password with the use of tools such as rainbow tables. All it takes is a little time. MyBB 2.0 uses Bcrypt, which is a much better hashing mechanism that takes longer to crack.


RE: I can not decrypt my password. - mushface1 - 2015-12-18

(2015-12-14, 01:08 PM)Euan T Wrote:
(2015-12-14, 07:59 AM)mushface1 Wrote:
(2015-12-13, 09:17 PM)Josh H. Wrote: Well yeah... That's intentional. It would be very poor software design to use MD5 and NOT salt the passwords.

You should never need to decrypt your password (and, to be pedantic, they're not encrypted; they're one-way hashed). If you're an admin and need to reset your password, find the password reset query in this docs section to regain access, then reset your password so that it will actually be salted and stored semi-securely.

On a forum I was on about 3 months ago, we got SQL Injected and the database was leaked... It was ok as there were only 500 members or so, but people decrypted my password... The forum used MyBB.

It is possible to brute force the password with the use of tools such as rainbow tables. All it takes is a little time. MyBB 2.0 uses Bcrypt, which is a much better hashing mechanism that takes longer to crack.

Where can I get rainbow tables?


RE: I can not decrypt my password. - Euan T - 2015-12-18

(2015-12-18, 06:12 PM)mushface1 Wrote:
(2015-12-14, 01:08 PM)Euan T Wrote:
(2015-12-14, 07:59 AM)mushface1 Wrote:
(2015-12-13, 09:17 PM)Josh H. Wrote: Well yeah... That's intentional. It would be very poor software design to use MD5 and NOT salt the passwords.

You should never need to decrypt your password (and, to be pedantic, they're not encrypted; they're one-way hashed). If you're an admin and need to reset your password, find the password reset query in this docs section to regain access, then reset your password so that it will actually be salted and stored semi-securely.

On a forum I was on about 3 months ago, we got SQL Injected and the database was leaked... It was ok as there were only 500 members or so, but people decrypted my password... The forum used MyBB.

It is possible to brute force the password with the use of tools such as rainbow tables. All it takes is a little time. MyBB 2.0 uses Bcrypt, which is a much better hashing mechanism that takes longer to crack.

Where can I get rainbow tables?
Certainly not here. Attempting to crack passwords, especially for nefarious uses, can be illegal in some jurisdictions.


RE: I can not decrypt my password. - Josh H. - 2015-12-18

(2015-12-14, 07:59 AM)mushface1 Wrote: On a forum I was on about 3 months ago, we got SQL Injected and the database was leaked... It was ok as there were only 500 members or so, but people decrypted my password... The forum used MyBB.

If your password was reversed by brute force, there's a good likelihood you should choose a better password.

Yes, collisions are possible, but rare.