Tweet
I can no longer view passwords via the members profile in the control panel by editing the config.php on VB 2.20 Is there a work around for this.
Thanks
Thanks
-
-
MD5 encrytion was used in 2.2.0 to increase security on passwords.
I don't know if there is a easy way around this but if you have a a MD5 decrytor you could get the code from phpMyaDMIN and decrypt it.
Thats the only thing i could think off. Someone else is bound to know.Email: [email protected]
Site: Under Construction -
The MD5 hash is one way. The passwords cannot be decrypted.
-tTim Hewitt
myOstrich Internet - Domain Management & Internet Services
myOstrich Golf - When it comes to golf, we don't have our heads in the sand.Comment
-
Actually Kaizen there is no MD5 decoder as MD5 isn't really an encryptions... so there's no way back from MD5ed value to the original value.Originally posted by Kaizen
I don't know if there is a easy way around this but if you have a a MD5 decrytor you could get the code from phpMyaDMIN and decrypt it.Comment
-
This is a HUGE downside if there is no work-around. It is often one of the ONLY ways to be sure that a member has duplicate registrations (especially with AOL users). If I don't know what the password is, how can I possibly do a search on it. As a matter of fact, searching by password doesn't even work. No matter what you put in the field, it returns ALL your users.
Any thoughts on this at all???Comment
-
Before this release a lot of users have complaine about passwords being stored in the database without any encryption whatsoever.
So for security's sake, we added the securest 'encryption' there can be - one way hashing.
As for searching by password, I believe that is a left over from earlier releases that should have been removed from version 2.2.0.
We'll make sure this will be removed from the next release.Comment
-
I'm not saying that encryption is a bad thing at all. What I'm saying is that not being able to see the user's password as an Admin is a huge downside. If a user can have their password e-mailed to them, an admin should be able to retreive that password just as easily. With ISPs like AOL who make it real easy for people to have five e-mail addresses, and that there are always members who insist on abusing any BB by having multiple logins, every little way to track them down is helpful. At the very least there should be an option to "email admin the password".Comment
-
I shouldn't really have mentioned it and I dont want to go into anymore detail but there is a way. I admit u can't go to a site and download a decrytor but there are ways.Originally posted by FireFly
Actually Kaizen there is no MD5 decoder as MD5 isn't really an encryptions... so there's no way back from MD5ed value to the original value.
Also: If this is the case, how do u recover your password or can't you?
Do you see what i mean?Last edited by Kaizen; Sun 4 Nov '01, 8:53am.Email: [email protected]
Site: Under ConstructionComment
-
You can check if someone has the same password by just comparing the encrypted password.
Thats 'cos the same password will ALWAYS produce the same hash key
Raz - KMC ForumsComment
-
The users can no longer have their passwords emailed to them. vBulletin does not know the users plain text password any longer - which is exactly as it should be. My password is no one's business but mine.Originally posted by SFishy
I'm not saying that encryption is a bad thing at all. What I'm saying is that not being able to see the user's password as an Admin is a huge downside. If a user can have their password e-mailed to them, an admin should be able to retreive that password just as easily. [clip]
-tTim Hewitt
myOstrich Internet - Domain Management & Internet Services
myOstrich Golf - When it comes to golf, we don't have our heads in the sand.Comment
-
There is no way to decrypt an md5 hash....Originally posted by Kaizen
I shouldn't really have mentioned it and I dont want to go into anymore detail but there is a way. I admit u can't go to a site and download a decrytor but there are ways.
Also: If this is the case, how do u recover your password or can't you?
Do you see what i mean?
When a user forgets their password, they are issued with a new one - as there is no way at all to recover their old one.
As Razzie pointed out, you can still compare user's passwords, and you can still find users with a certain password (Though this functionality may not be working properly in 2.2.0).Comment
-
Can you please tell me how? How do I even get their encrypted password?Originally posted by Razzie
You can check if someone has the same password by just comparing the encrypted password.
Thats 'cos the same password will ALWAYS produce the same hash key
Comment
-
Its in the mysql databse and u can view it through phpMyAdmin. Goto the table : user and click browse.Originally posted by SFishy
Can you please tell me how? How do I even get their encrypted password?Email: [email protected]
Site: Under ConstructionComment
-
Either use PHPMyAdmin or use telnet/SSH and execute the following query:
SELECT password FROM user WHERE userid=X;
Replace X with the userid.Raz - KMC ForumsComment
-
Admin access
I for one, am very sorry to have totally lost the facility to obtain a user's password. I think, if I had realised this I would have thouhgt twice about the upgrade. Whilst I would never wish to pry into users' control panels it was reassuring to know that I could do so in an emergency. I suppose if necessary I could email myself a new password (by changing the email address of that user) to log in as that member but it would be very heavy handed route.
david MComment
Comment