ignoring the obvious ethical issues :rolleyes: are there any hacks that can log the plain text password of users as they login to the forum?

providing users are informed that logging takes place i dont see a problem.

Possible, but no modifications have been released for this and I doubt there will be. Additionally, passwords are zapped (encrypted) on submission. But that can be turned off.

im speculating here as a non coder but couldnt the plain text password be 'interupted' before the db md5 hash query and sent to a .txt file in the forum file structure..

should be a simple bit of code..just wish i had studied software in school all those years ago..lol:D

by editing the <form to not have the passwordMD5 part, sure it is... so you md5 the password inside the record process instead... 2 edits...

this is less secure, as the data can be extracted on process, but if that's what you want...

why this btw ?!

curiosity really..
someone asked me how secure a vbulletin pwd was and ever since ive been wondering how to get round the md5 encryption..no other reason..
vbulletin is very secure it seems, double md5 hash plus salt..a reverse lookup of a vB hash is nigh on impossible..

in this situation keeping the md5 hash intact would be the best option and just using a line of code to output the raw text to a file during login..just wish i knew .php/mysql

i know there are lots of frowns about this subject but if you own the license/forum and are open about what youre trying to do then i dont think there should be issues worth raising in relation to such a mod/hack.

All you have to do is remove some javascript and catch the plaintext in the php code before it's hashed.

hehe..you make it sound sooo easy Brad..:p
x

hehe..you make it sound sooo easy Brad..:p
x

hey, i made it as simple BEFORE BRAD... lol

and actually, the only reason someone would make this possible is to enable the possibility to grab your "forgotten password" without reseting it...

i've done that for a client one day... he lost his time as all the members that needed password extraction were using the reset process anyway.. lol

oh yeah sorry nexialys.. :o
im still none the wiser as to the code/js needed..but im guessing providing someone knew the ftp user account details a form can be modded to provide a method of grabbing text pwds before they get hashed/compared..

so in essence regardless of how pwds are stored the only really important pwd is the admins ftp account..sheesh..!!

oh yeah sorry nexialys.. :o
im still none the wiser as to the code/js needed..but im guessing providing someone knew the ftp user account details a form can be modded to provide a method of grabbing text pwds before they get hashed/compared..

so in essence regardless of how pwds are stored the only really important pwd is the admins ftp account..sheesh..!!
Well a proper modification would catch the plaintext version and hold it in memory until the user is logged in. If the user managed to log-in we know that password is good and we can store it somewhere for whenever it's needed.

The main problem with this is removing the bit of javascript in the navbar. You see it will hash the password on the client side before sending it off to the server (if the client has javascript on that is). This was done in the name of security...someone can't grab the plaintext version in-route to your server in other words.

I'm not interested in coding such a thing just because it doesn't catch my fancy but I'm sure some one around here would be willing to do it for you if you really wanted it.

You could always just hack out the hashing and store the passwords as plaintext in the database (you're doing it anyway in my above example ;)). But hey, wheres the fun in that?

Well, you could just remove all of the md5 coding, you could just go into phpmyadmin. Although, I wouldn't even try something as stupid as that. WAY too insecure.

I'm sure Marco posted a constant so that they wouldn't be zapped, without the need to edit any JS.

having no hashing is not an option..
anyone want to earn a few notes writing me some code..?
happy to pay and keep it all private if you wish..
thanks all, very interesting topic.
diz
x

You don't understand...We're not saying to disable the MD5 hashing. The problem is that vBulletin automatically hashes the input before it even reaches the server.

i do get it, just..but one of the suggestions was to turn off hashing and store plain text in the db..thats what i meant when i said 'not an option'..
i guess i need code/js to grab the plain text before vbulletin sees it..is that nearer the mark?
ty
diz

You can turn off having vBulletin hashing it before it reaches the server. No matter what path you go down, you would have to do that.

I'm shocked that this Threads lasted the time it has! While the OP may not have bad intentions, anyone can read this thread!

yeah youre right Dave..maybe too much info in this thread for the general consu,er, though as there really is no easy way around the issue i originally posted i think the community is safe..

one final question not really relating to the original topic..
when you turn off or remove the hashing of passwords, does that mean everyone has to enter new ones the next time they log in?