I know the passwords are encrypted in v2.2.0 but is there is anyway to have them shown in the admin control panel

I know there is a security risk but I think it's always good to have that option

It's a MAJOR risk...

I had that enabled at my forum, then a hacker got in (thanks to one staff member's utter stupidity).

EVERYONE had to change their passwords... repeatedly.

It was not fun.

You can't decrypt MD5-encrypted passwords

sure you can ;) just takes skill and time

md5 produces a 32 character string no matter what, so a book encryped in md5 will be 32 characters and the letter a encrpyted is 32 characters.

There is no way to undo this.

i dont want to use MD5 encryption because i will be integrating another script along with vB, that calls the passwords from the user table. and this would make it so difficult.

yeah I know that there is a risk in having the passwords visible but I'm the only person who can enter the admin panel and I didnt have any problems for over 3 years since I started with UBB

and I know it's really hard to decrypt the MD5 encryption but I was hoping somebody will figure it out :)

so you want a script to allow you to view passwords via CP, by decrypting the MD5-encrypted passwords on the DB? sorry man, aint NOBODY going to make this, if its at all POSSIBLE! best bet is to take out the encrypting alltogether before you can takle ANYTHING, sorry man, try www.elance.com for this one. your looking at $250 MIN.

It's not that hard to create an encryption that can be later decrypted, but using unique keys so no one will be able to decrypt an encrypted value. (without getting the keys and source code of the encryption, of course)

Btw, I *think* MD5() was already decrypted by someone, but I'm far from sure.
And if anyone will be able to decrypt MD5 hashes with 100% success, trust me he won't be giving it to you. :)

ok then I should forget this idea then :( but I think it was a good idea to give the users the option if they wanted to encrypt the passwords when upgrading

because the reason that keeping from upgrading to 2.2.0 is this thing because I get too many complains of new users that they cant login and things like that and I have to login using their accont to see the problem

anyway I hope Jelsoft Enterprises will consider puting that option back to config file

So what would happen if a member does not use his email address that he registered with anymore. Therefore he will be unable to have is password sent to him.

He then ask's admin to change it for him, how can this be done?

;)

The admin could simply change the email address, and then have the password reactivation link emailed to the user.

Amy

What about letting the admin choose wether to use MD5 or not?

Originally posted by Niels vdw
What about letting the admin choose wether to use MD5 or not?

i agree

Its kinda pointless to try and suggest it now if you've already upgraded to 2.2.0.

FireFly >
md5 can't be decrypted as two strings could encrypt to the same value, so you wouldn't be able to find out the original value. So far the only thing people have been able to do is brute force.

[QUOTE]Originally posted by PPN
FireFly >
md5 can't be decrypted as two strings could encrypt to the same value, so you wouldn't be able to find out the original value. So far the only thing people have been able to do is brute force.

positive as there is not enough combinations to account for every possible word, letter or phrase that could be encrypted, as md5 always returns a 32 chracter string with lowercase letters and numbers.

PPN >

I didn't upgrade on my main forum I did it on my test forum ... that's why I'm trying to get that option to use MD5 encrypting or not for my main forum


and I hope they would consider putting that option for the admin


OK : I think I should change the request from how to show the passwords after the upgrade to

How to remove the password encryption from the upgrade file and have the password shown in the admin panel


that should be a good modification or a hack :D

OK : I think I should change the request from how to show the passwords after the upgrade to

How to remove the password encryption from the upgrade file and have the password shown in the admin panel
I totally agree, it would be nice to have the option.

Every time I see this question posted, I have to ask.

What reason could you possibly need for seeing my password in your forums that is not already addressed some other way?

I have been working on computer systems as an admin for more than 20 years and I never want to know a user's password.

Help me understand your needs, and perhaps there are other tools I can suggest to solve your problems.

Thanks,

-t

Well I don't know about your experiences but I often use this feature when someone has forgotton their pass in the chatroom and ask to save messing about with emails etc I do change the mods passes for security and give them to them rather than have email notification which is always open to being hacked this is also done through the chatroom manually after checks and it's our own chat server and secure.
This is a feature I use and I would like to have to option to keep it as would it seems many others for the same reasons.

I disagree that the new method of emailing a link that allows the user to get in with a new password is in any way hackable or insecure. It's very much more secure than having open, human readable passwords.

The users have a way to assign themselves a new password should they forget it, without even having to ask you for their password, so the need to breach security and give them a plain text password is not required to meet your end goal - only to meet the process you have chosen to use to hand out lost passwords.

I'm not sold. Any other reason?

-tim

thewitt, i will be integrating some scripts with vB, that use the user.password, and the scripts don't work with MD5, how about this reason? ;)

There are many reasons for me

1. I have alot of users that don't use a real email address and when they loose their passwords I keep emailing them and the process takes alot of emailing and you can imagine how many times I have to deal with this problem if you have a board with a large number of users

2. is to identify the trouble makers from their passwords ... alot of users keep using the same password or the same combination which makes them identifiable ....

3. alot of times when ever I do hacks ... I have to login using some of my moderators login names to check for troubles ... and I have over 50 moderator and normally I don't have the time to ask them for the password and wait for the answer .... a simple example is the moderator log hack ... I had one moderator name that was not being logged ... after using his name and testing I discovered it was because he used a custom user title

I don't say that I cant get away without having this function but without it will make my life alot harder

but I should have the option to have it or not to have it ... exactly the way it was with the older versions

Originally posted by Ruth
thewitt, i will be integrating some scripts with vB, that use the user.password, and the scripts don't work with MD5, how about this reason? ;)
Opinion here, based on serious experience, not hyperbole. These are also insecure and need to be modified to use the encrypted password.

Storing plain text passwords is perhaps the single most insecure thing that anyone can do in an application. CS101 stuff here.

Use this opportunity to bring your applications up to a higher level of security standard...

-t

Originally posted by dxb
There are many reasons for me

1. I have alot of users that don't use a real email address and when they loose their passwords I keep emailing them and the process takes alot of emailing and you can imagine how many times I have to deal with this problem if you have a board with a large number of users
This is a problem. I cannot imagine why you do this, but if you do you are right - it's a problem. I would never consider allowing registered users without a real email account. Perhaps someone else who allows this will comment.

2. is to identify the trouble makers from their passwords ... alot of users keep using the same password or the same combination which makes them identifiable ....

This doesn't change. The text encrypts to the same thing - you just can't read it as words. You should still be able to pull out duplicate password strings as MD5 passwords.

3. alot of times when ever I do hacks ... I have to login using some of my moderators login names to check for troubles ... and I have over 50 moderator and normally I don't have the time to ask them for the password and wait for the answer .... a simple example is the moderator log hack ... I had one moderator name that was not being logged ... after using his name and testing I discovered it was because he used a custom user title

You see, this is one of the key issues with plain text passwords. You should never be able to log in as me on your forum without my express knowledge and permission. If I want you to log in as me, I'll tell you my password.

I don't say that I cant get away without having this function but without it will make my life alot harder

but I should have the option to have it or not to have it ... exactly the way it was with the older versions
This was not an option with the other version. Viewing the passwords was, but encrypting them was not. You now have a more secure board, and we have a more secure product. I am more comfortable using your board because I know that my password is stored in a safe manner. Life is good.

-t

I'm not sold. Any other reason?
I wasn't aware I had to sell you on anything, you asked for reasons I gave you a few now as far as i'm concerned thats it I didn't really have to explain at all but I did, my main forum has been running for over 5 years now and we have never had a security breach and have always been very carefull.

Originally posted by Bald Bouncer
[clip]my main forum has been running for over 5 years now and we have never had a security breach and have always been very carefull.
As in most password exploits, you would likely never know if someone was using other people's accounts on your server because their passwords were exposed.

As for selling me, you posted here looking for support for adding a feature back into the product that is a no-no in every intellegent security resource on the planet. If you just wanted to ask Jelsoft to put it back in, you could have done so in a private email. That appears to me to be a solicitation for support, and I'm simply telling you that you don't have mine yet.

If you don't care, that's fine. I'm not put out by it, just giving you a chance to explain your reasoning for asking for what I consider to be a huge security hole in the software.

I would suggest that it will take more than a "put it back cause I don't like the change" argument to make a difference - but I've been wrong before.

Now someone could certainly write a hack that intercepts the password validation process and writes the plain-text, pre-encrypted password into another field in the database. I suspect this will be the way you'll expose the passwords in your forums in the future, and not by some reversal of design in vBulletin - but again, I've been wrong before.

If you want Jelsoft to put it back the way it was, you might also post your concerns in the vBulleting community forums and not in the hack forums. I'm not sure if that will make a difference, but I susect that's a better place to ask Jelsoft for changes.

Good luck,

-t

As for selling me, you posted here looking for support for adding a feature back into the product that is a no-no in every intellegent security resource on the planet. If you just wanted to ask Jelsoft to put it back in, you could have done so in a private email
No if you read back thats not what I asked for at all, I just agreed with dxb when he said he should change the request to How to remove the password encryption from the upgrade file and have the password shown in the admin panel and as the showing passwords was a hack in the first place (Ithink i'm right that it was a small hack) the question couldn't be answered in the main forum.

Showing the passwords in the admin panel might have been a hack once, but it's been in the product proper for all the 2.n versions. I'm not sure when it was added - that is if it was not always available with the plain text versions.

-t

Originally posted by dxb
There are many reasons for me
3. alot of times when ever I do hacks ... I have to login using some of my moderators login names to check for troubles ... and I have over 50 moderator and normally I don't have the time to ask them for the password and wait for the answer .... a simple example is the moderator log hack ... I had one moderator name that was not being logged ... after using his name and testing I discovered it was because he used a custom user title
I have a simple solution for this one.

Register another account for yourself(different name) and grant it moderator abilities, so you can test the accesses or whatnot.

Showing the passwords in the admin panel might have been a hack once, but it's been in the product proper for all the 2.n versions. I'm not sure when it was added - that is if it was not always available with the plain text versions.

Well it's a change to in admin/config.php so isn't it a hack? and if it wasn't then why was it posted in the hacks section.
So if you have this visable then you must have change it.
I'm also having problems with the new system and have had to delete one mod and get him to register again because it won't accept his pass or send it, normally a simple problem like this I could have sorted it 5 mins, now I got to add him back to forums etc, pain in the arse.

I'm just going to chime in and say I agree this should have been an option. Just because some people think encryption is the only way to go, that doesn't mean it's the best way to go for all paying customers. Some of us can't afford the time and work it's going to take to rewrite our authentication systems so they now work with VB's new encrypted passwords (I have a chat system that uses the same username and passwords as my VB, or at least it used to). Some of us also don't have time to be explaining in e-mail after e-mail this new procedure to our members, who now can't have their passwords e-mailed to them. Some of us have lots of problems with people opening up second and third accounts, and any little way to track these people down is helpful (by doing searches for passwords). It was a feature in VB prior to 2.2.0 and now it's not. As a paying customer, I kinda think I should have been warned that adding encryption was going to take other things away from me. And what should we do? Not upgrade? Stay at 2.0.3 forever? That's the way companies lose customers.

So I agree it should have been an option.
And I'd LOVE to see a hack that intercepts before it's encrypted, and copies it to an "admin only" custom field. A field I could easily use for my chat purposes, for helping my members, and for finding duplicate accounts.

I am totally against this hack. I hate this feature because some people use the same password within many websites so that they can remember. Well what if the administrator see's someone's password? They can have access to websites, e-mail, other bulletin boards and more!! Please, vbulletin.org, if you are going to install this, remind me, so that I know to leave.

If you make this hack, I will not join anymore Bulletin Boards. If you do, at least the Administrator(s) should tell us that they have installed it, so I know not to join.

And that's that.

Give me a break Afterlab. I really don't want to argue with you about this, but your signature says you are using 2.0.3 and that version doesn't have encrypted passwords out of the box. So you my friend, have (or at least had) the ability to see passwords.

Ah really? Crap. << Is stupid

so anyone make this yet?

i want an option to take it out...it shouldn't be taht hard...should it? i'd do it msyelf i knew php and all taht stuff...

Firely: No one has broken the md5 hashing system.

MD5 can be brute forced but anything above 4 or 5 characters would take weeks.

I had a script a little while ago (i'll have to dig it out) that could break passwords encryted in md5 for anything upto 4 characters. Anything above that and it would crash the server.

If you want; someone make a 3 character password and copy the md5 hash into here and i'll see what i can do. Nothing above 3 otherwise it will crash my personal server.

I believe there used to be some hack to get rid of md5. However it was never tested. Check out the full releases forum. I might be wrong...

IMO there's no reason why you should need too see member's passwords. But if you bought vb and you want it then it's your choice. Hoever in that prior to registering agree//disagree prompt please mention that you reserve the right to view user's passwords.

[QUOTE]Originally posted by kaizen
Firely: No one has broken the md5 hashing system.

MD5 can be brute forced but anything above 4 or 5 characters would take weeks.

I had a script a little while ago (i'll have to dig it out) that could break passwords encryted in md5 for anything upto 4 characters. Anything above that and it would crash the server.

If you want; someone make a 3 character password and copy the md5 hash into here and i'll see what i can do. Nothing above 3 otherwise it will crash my personal server.

:)
YOU CAN'T REVERSE A DATA-LOSS ALGORITHM , even with +$250 !!! ;)

Password aren't actually 'encrypted', but HASHED !

The MD5, along with RC4 or SHA1, are HASING algorithms, not cypher ones.... All of them are complex NLP (NON-LINEAR POLINOMIAL algos) which can't be reversed, as in the many steps most of data - beginning from a couple of random large (VERY large!) numbers - is lost ...
So you can't even interpolate an approximation with a Neural Network...

Only thing you can ensure is:
same word (any lenght) ---- > same hash (32 or 40 bytes, respectly MD5 or SHA1)

This way you can compare words (CASE SENSITIVE, of course, because 'a' and 'A' for a math- algo are 97 and 65!!!) without knowing them !!! ;)

Bye

Hope this helps.

Originally posted by Codename49


Just out of curiosity to see if you can do it I created a username with a 3 character password.

Here's the md5 hash I got for it...
8aa11cd5807364a0fd04593d4b8ad56d

Unfortuunately, that exceeds 30 seconds which is my hosts time out.

If anyone has a server that doesnt timeout at 30 seconds i will have another go.

Originally posted by Codename49


Just out of curiosity to see if you can do it I created a username with a 3 character password.

Here's the md5 hash I got for it...
8aa11cd5807364a0fd04593d4b8ad56d

The hash is invalid or is not 3 characters long.

Try again.