I am developing a system for Online Hotel booking system which I did not start from scratch. The information of customers(bookers) in the system are encrypted using MD5 but unlike normal md5() php function the system is quite complicated as you can see here :
$psw = md5("vhdsxnjuobef");
$t_cred_num = md5_encrypt($t_cred_num, $psw, 16);
and for Decryption it goes like :
$psw = md5("vhdsxnjuobef");
$t_credit_num = md5_decrypt($t_cred_num, $psw, 16);
this code is not Working though on my Server and there is alot of Customer's information Encrypted.
Example of hash of t_cred_num variable =>
fdRucZHctr7vIX+U400xGHq53Qemze0YQH1sAUjvmaC1P+XaRadI9CaX0wrkDXu6
Any Ideas on how to Decrypt these hashes ? When I use md5_decrypt with the hashes nothing happens.
I think the md5_crypt and md5_encrypt are functions hand crafted by the previous developer. md5 isn't supposed to be decryptable. Hash's are supposed to be one way functions: http://en.wikipedia.org/wiki/Hash_function
So, you'll need to find the definition of those functions. A search for "function md5_" in the code files should find the place in the code where they are defined.
there's no way to decrypt an md5. there are two things you can do:
if you have other account or know the password of another account then copy the md5 characters of it and place it on yours.
search for an md5 of let's say "admin". Paste the md5 equivalent of the word "admin" on your account. You can also use other words.
After that, login to your account then change back your password
Related
I have a page in my site that allows the user to change there password but as part of the form they have to enter the old password. In the model I have verification to check the old password entered on the form matches the one in the database
public function oldPasswordCheck($attribute, $params)
{
$old_password = $this->attributes['password'];
if (crypt($this->old_password, $old_password) != $old_password)
{
$this->addError('old_password', 'This is not the old password');
}
}
This worked until recently but for some reason now, if you enter the correct old password, it still tells you they didn't match.
Any pointers would be much appreciated.
Some possible answers:
1) Your salt parameter
Php crypt() function uses two parameters: crypt ( string $str [, string $salt ] ). It seems that you are using the password as salt, which is a very bad practice. Is that so or are you just confusing the salt parameter? I would also recommend to always compare passwords with php hash_equals(), because crypt() is vulnerable to timing attacks.
2) changes in your server configuration
What type of hash your php configuration use to crypt/decrypt strings?:
On systems where the crypt() function supports multiple hash types, the following constants are set to 0 or 1 depending on whether the given type is available: CRYPT_STD_DES, CRYPT_EXT_DES, CRYPT_MD5, CRYPT_BLOWFISH, CRYPT_SHA256 and CRYPT_SHA512. If you changed recently your server configuration, some of that could not be available anymore. Check it with phpinfo()
A recommendation
You are working with a framework, and Yii like every framework has its own class to crypt and decrypt strings. Take a look at yii security class. It will make your life easier.
I've spent better half of the day trying to figure out the problem I have, and I'm at a dead end it seems.
I have a ASP application(no access to actual code, just database), in which the user passwords are stored in aspnet_membership > Password column, it also has a salt.
I've also got a copy of the machine key file, which from what I understand contains the keys neede to decryot the password?
<machineKey validationKey="**validation key**" decryptionKey="**decryption key**" validation="SHA1" decryption="AES"/>
i've tried a bunch of different ways of doing this, with open ssl, with different libraries, etc. However I seem to lack knowledge when it comes to this. I'm currently trying to use https://github.com/phpseclib/phpseclib library to decrypt the password:
$cipher = new AES(); // could use AES::MODE_CBC
// keys are null-padded to the closest valid size
// longer than the longest key and it's truncated
//$cipher->setKeyLength(128);
$cipher->setKey(**decrypt key**);
// the IV defaults to all-NULLs if not explicitly defined
$cipher->setIV($salt);
echo $cipher->decrypt($password);
However any way i'm trying todo this, I get either random return or false. I've got a very limited amount of info about the version of AES running on the ASP application or any other encryption info. Any help would be appreciated!
Hi This MachineKey has nothing to do with Salt, the salt is generating by the code at run-time using the Password provided.
.NET framework using Rfc2898DeriveBytes for encryption
Something like this
using (Rfc2898DeriveBytes rfc2898DeriveByte = new Rfc2898DeriveBytes(password, 16, 1000))
{
salt = rfc2898DeriveByte.Salt;
bytes = rfc2898DeriveByte.GetBytes(32);
}
How to decrypt password in plain text which are in ms-SQL database?
$encrypted_password="k??aU?????y-??N???tDRz????{?4R???G?aS4t?T";
$salt = "611233880";
So I need to decrypt password so that I insert into other database with md5 encryption.
I used this code, but not get success
$iv2 = '';
for($i=0;$i<16;$i++){
$iv2 .= "\0";
}
$plain_text_CBC = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $salt, $encrypted_password, MCRYPT_MODE_CBC, $iv2);
var_dump($plain_text_CBC);
$plaintext = openssl_decrypt($encrypted_password, 'AES-256-CBC', $salt, 0, $iv2);
var_dump($plaintext);
Need Help
The idea behind encrypted (or hashed) passwords is that it is a one way operation. Not quite like shredding, but that's the idea. If you take exactly the same input and shred it you should get exactly the same output. You may not be able to reconstruct the input from it, but you can confirm someone gave you the right input by looking at the output.
Some weak algorithms have been know to be hacked buy in principle what you are asking for is impossible.
The ought to be no reason reason to decrypt. You can always do the hashing operation twice - first with the old algorithm, then with the new one - and then compare with the entry in the database.
NEVER EVER store plaintext (or weakly encrypted) passwords. Just ask LinkedIn...
You don't simply decrypt a password. It should be hashed which means it is a one way encryption.
If you want to change your password hashing implementation, here is a way to do it.
You have the clear text password available when a user is in the process of logging in. So that's where you will have to place code to rehash the password with the new algorithm.
If you are using the new native password hashing functions (PHP Version >= 5.5) then you can use password_needs_rehash. If you are on a lower PHP Version but still >= 5.3.7 then you can use the userland implementation to get the same API to the password hashing functions.
So when a user is attempting to log in and the password needs rehashing, check if the hashes match with the old hashing function and then create and save the new one to the database. Over time you will be able to migrate most users and then you can think about a solution to migrate the rest of your userbase with a forced password reset if they never logged in during your migration timeframe.
Firstly, you encrypting your data by 2 different algorithms. Why? One algorithm is enough.
Answer: You can't decrypt old password.
Solution: You should encrypt data you wrote into password field and compare result with data in database. If they are equal, you will pass password check.
For example:
$login = mysqli_real_escape_string($_POST['login']);
$password = mysqli_real_escape_string($_POST['password']);
$password_hash = md5($input); // you can use there any other algorithm, just example
// make next query and control result
$sql = 'select count(id) from users where login = \'$login\' and password = \'$password_hash\'';
// now if there are 1 row with this login and same password hash let user log in to your site
If you write your code in the MVC structure, you can use the function n_decrypt() to decrypt passwords.
Going straightly to my question, I have read about encrypting password while registering the user.Till here im able to register users with encrypted password by using PASSWORD('$PASS'); where $PASS is the users password. My sql table details is as follows :-
FNAME
LNAME
EMAIL
PASS // USED ENCRYPTION AS PASSWORD('$PASS'); HERE.
I can't understand how to decrypt the password & use futher in my code i use the following code to use decrypt the password but its not working. !
<?php
$EMAIL = $_POST['email'];
$PASS = $_POST['pass'];
mysql_connect('host', 'user', 'pass');
mysql_select_db('userdb');
$results = mysql_query(sprintf("SELECT FNAME,LNAME,EMAIL,PASS FROM `details`
WHERE PASS=PASSWORD('$PASS')",
mysql_real_escape_string($EMAIL))) or die(mysql_error());
while($row = mysql_fetch_assoc($results))
{$rows[1] = $row;}
if(!($_COOKIE['pass'] == $rows[1][PASS]))
//cookie is set while registering user , which is the decrypted(original) value of password.
{ die("Error occured"); }
else { echo "Password entered is correct"; }
////.....my further code here.
?>
Its showing Error occured on the page, which means the password is incorrect. I Also add that this code was working correctly before encryption of password in database.Im new to encryption process ,Your little help is needed which will help me to learn more. Thanks in advance.
You don't encrypt passwords, you hash them.
The point is, that you don't actually need the users password, you just need to know that they know it.
As an example, an absolutely terrible way to do that might be a simple count: e.g.
if the users password was 'horse123', you might store that as 8. Then you just count the letters in the password, and if it's 8, you know it's right.
That means that you never need to know the actual password.
Clearly that's awful, as there are many passwords with 8 characters! We need something with less 'collisions'.
Instead, we use one way hash functions. The most common way to do this is to use an MD5 hash. (it's not the best, but it's simple to explain). For how to actually do this, look at http://www.openwall.com/phpass/.
For the short and sweet version:
Get the users password, and do something like:
$pass = md5('somerandomtextthatyouknow'.$_POST['password']);
then, store that in your DB.
When they log in, you do the same again, and check that the hash in your DB.
This way, you never need to know the actual passwords, the passwords can be as long as you like, and if your database is stolen, the hashes are not useful to anyone (because we added in that random text).
So, now you understand that, read:
http://www.openwall.com/phpass/
and absolutely read up on SQL injection and SQL prepared statements, else this is all a bit pointless!
You shouldn't encrypt passwords. You should hash them. This way they can't be decrypted.
You can read more about it here.
Best solution is to use HASH code instead of using encryption and decryption.
md5($pass) - give you 32 bits unique hash code
similarly sha256(), hash()...etc
store these hash codes in your database at the place of password.
Hash code are one way. So it is more secure for your users.
Click here for a more comprehensive way of protecting your passwords and login access using PHP and MYSQL
I'm moving my site from an oscommerce store to a commercial application.
The new application stores its passwords using straight MD5 encryption. Oscommerce stores the password using MD5, but also adds a random 2 digit number (provided in plaintext) to the hash.
Here is what someone posted on a forum:
The two characters added are for creating the hash in such way that
hash=md5(twocharactersPlainPassword)
ie: 2letters: 74
Plain Password: PaSs
hash=md5('74PaSs')=acaa6e689ae0008285320e6617ca8e95:74
Here is the code how Oscommerce encrypts the password:
// This function makes a new password from a plaintext password.
function tep_encrypt_password($plain) {
$password = '';
for ($i=0; $i<10; $i++) {
$password .= tep_rand();
}
$salt = substr(md5($password), 0, 2);
$password = md5($salt . $plain) . ':' . $salt;
return $password;
}
// This funstion validates a plain text password with an encrypted password
function tep_validate_password($plain, $encrypted) {
if (tep_not_null($plain) && tep_not_null($encrypted)) {
// split apart the hash / salt
$stack = explode(':', $encrypted);
if (sizeof($stack) != 2) {
return false;
}
if (md5($stack[1] . $plain) == $stack[0]) {
return true;
}
}
return false;
}
Here is how my new cart encrypts the password:
if ($admin_password_encrypt == 1) {
$password_match = md5($password);
} else {
$password_match = $password;
}
Is there any possible way of importing customer passwords from my oscommerce cart to my new cart.
Do not save plain MD5 hashes in your database. Plain MD5 hashes can be reverse engineered quickly and easily using rainbow tables. However, here's how you solve your problem, no matter how you choose to store the passwords in the future:
Create a column in your new database that specifies the "version" of the password. This is used to determine if the password was generated by the old application or the new one.
Import the old users, setting the aforementioned flag to indicate the password is imported.
Create two methods for validating a password. One method uses the code from your old application, the other uses your new validation method.
When a user is logging in, check the aforementioned flag and use the appropriate validation method.
Anyways, I want to reiterate that plain MD5 hashes are easy to crack for most passwords (since people like short and easy to remember passwords.) Use a salt and/or a more complex algorithm. I'd recommend both, and use a salt that is longer than two characters and not limited to numbers. This will make the passwords really secure.
It appears that you have the source code for your new cart. Since "straight MD5" is a terribly awful way of storing passwords, perhaps you should simply change the to use the same password storage mechanism as OSCommerce.
The answer to your question is no, there is no way of converting the passwords.
No. MD5 is a hash algorithm, which is a one-way function. You cannot reverse the hash on your oscommerce system to remove the salt and rehash. Sorry.
If the passwords are encrypted with md5, you won't be able to decrypt them. Your best possibility can be to check in your login code whether the creation of an account/last password change occurred before a certain date. If so, use OSCommerce's password validation function, if not, use your own.
This way, for all new accounts the passwords will be encrypted with the new method, and for old accounts you'd continue to handle them as usual, so it'll be transparent to users.
Another, and possibly better option is that you continue to use the salting method of OsCommerce. It is more secure, and you'll also get to keep your existing passwords.
There is no method for automatic conversion between hash algorithms. Unfortunately you would likely be stuck picking from one of the following bad options:
Configure or program old cart to store hashes in new format as users login to old system.
Use a password cracker to recover some percentage of old system cart passwords.
Ask new vendor to support old format
Send notification to all users they will need to prepend the salt text to their passwords when using the new system or customize the system to prepend known salts for them.