PDA

View Full Version : admins see passwords


Keyser S?ze
05-29-2002, 06:43 PM
u wouldnt think this was needed, but i swear it is, for some reason in 2.0.3 i could see the users password, but now in 2.2.5 i cant, and i use to have this user that kept re-registering, just to bug ppl, and he ALWAYS used the same password, wutang,

also has been helpful in other cases, but not used for anything bad

does a hack like this exsist where admins can see users passwords in the admin cp?

thanks

Xenon
05-29-2002, 07:38 PM
passwords are md5 encrypted, you cannot decrypt it anymore, its not possible to decrypt md5.

as i know there was a hack wich saves the passwords unencrypted for 2.x.x, but not sure

try the search function.

also it's not so hard to write a hack, wich will save pw's after login in uncryptet version into the DB, but i don't think its a good thing to do so

scsa20
05-29-2002, 08:00 PM
Originally posted by IceMalee
u wouldnt think this was needed, but i swear it is, for some reason in 2.0.3 i could see the users password, but now in 2.2.5 i cant, and i use to have this user that kept re-registering, just to bug ppl, and he ALWAYS used the same password, wutang,

also has been helpful in other cases, but not used for anything bad

does a hack like this exsist where admins can see users passwords in the admin cp?

thanks

hmmm....since he uses the same password over and over again and you know what the password is, find out what his e-mail address is (if he uses Hotmail, put in his username (the first part of the adde (if you didn't know ;))) and use it againes your advages ;))

anyways, why would you what to know someone's password for?? just ban the guy :rolleyes:

Logician
05-30-2002, 09:02 AM
it's not what you asked, but is what you need: ;)
https://vborg.vbsupport.ru/showthread.php?s=&threadid=38909

Scott MacVicar
05-30-2002, 09:59 AM
I would not really recommend storing the passwords un-encrypted, if your on a shared server you'll find that anyone with shell will have access to your mysql tables, and you don't really want them having your passwords.

Such as a competitor might buy a $9.95 account on your server just to get access to your admin passwords and thats you in trouble. This is all hypothetical btw :P

If he used the same password, the hashed password will be the same so this query will find it.

SELECT * FROM user WHERE password=MD5("password")

Tigga
05-30-2002, 04:41 PM
Couldn't you just simply search for the password "wutang" in the admin pages under users / find?

Xenon
05-30-2002, 11:30 PM
no, you can't search for passwords in the admin cp since vb2

RDX1
05-31-2002, 06:51 AM
i know how to find out users passwords via ACP... and its pretty easy... but would this be invasion of privacy if i told you how and you used it for other reasons?

Chris M
05-31-2002, 09:58 AM
Not really...

It is something that could be useful...

Perhaps only to the site owner - i.e. Userid=1?

Satan

Scott MacVicar
05-31-2002, 05:22 PM
You cant decrypt a MD5 hash, the only way to find it out is to store it seperately when they login / register.

To find a user using a password would be easy though, type in the password click find and it should come up. If you want i'll post the code

Chris M
05-31-2002, 09:18 PM
Yes please!

Satan

Scott MacVicar
05-31-2002, 10:39 PM
Odd the code is still in vBulletin, just click Find in your admin panel and type in a password and it will find anyone with that exact password.

RDX1
06-01-2002, 06:07 AM
well i can get a users password, but it can be a hassel... and its not decrypting it just a trick

Dean C
06-01-2002, 10:14 AM
i personally wud neva sign up to a board that cud get my password... i think its an invasion of privacy because on some sites i use the same passwords and it leads the way open to many things...

Scott MacVicar
06-01-2002, 10:38 AM
NerdNation i presume your talking about brute forcing it. encrypting hundreds of words and comparing them to the password you have?

:P

Xenon
06-01-2002, 10:52 AM
Originally posted by Mist
i personally wud neva sign up to a board that cud get my password... i think its an invasion of privacy because on some sites i use the same passwords and it leads the way open to many things...

most of the time, you don't know if the siteadmin could see your pw or not

Chris M
06-01-2002, 03:02 PM
You should have 2 passwords at least anyway...

One for boards where you goto, but you have no power or anything...

And another for boards you are a Mod, Super Mod, Admin or Owner of...

That way, if someone finds out your password to your account say at a board where you are just a normal member, they cannot access anything important...

Or if one of their admins are corrupt and view your password, then they cant access your site!

Satan

Neo
06-01-2002, 03:32 PM
why not just ask your users for their password if you really need it... I am sure they would be happy to give it to you :p

Lucky
07-04-2002, 07:47 AM
So nerdnation what is the deal? How?