vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Is there anyway to see password of users? (https://vborg.vbsupport.ru/showthread.php?t=207984)

Alexey? 03-11-2009 05:34 AM
Is there anyway to see password of users?
 
Is there any hack that i can see users password? not log into them just to see passwords?

BSMedia 03-11-2009 06:32 AM
Not unless you have a super computer and a lot of free time with some luck mixed in.

Its my understanding that they are double md5'd with a unique salt per user to prevent such trickery, though i'm not certain if thats the case or not.

Alexey? 03-11-2009 07:16 AM
and there is no modification for this?

TigerC10 03-11-2009 08:08 AM
No. There's no modification for this. Because the passwords aren't store as "plain text". Passwords are stored as encrypted text with a method of encryption called "MD5". MD5 is known as an irreversable encryption. Basically, there is no way to decrypt it. A sort of "separate the lock from the key" approach toward encryption. Very much NOT useful for encrypting documents of any kind, but VERY useful for passwords.

Take for example, the word "password". It is hashed out into a 32 character value through the MD5 function and becomes...

5f4dcc3b5aa765d61d8327deb882cf99

vBulletin adds more security through obscurity to that! It then takes this 32 character value and adds a randomized salt (which is stored in the database for every user) to the end... A salt is a 3 or 4 character set of randomized symbols that looks like

=!q
4g*

so you get

5f4dcc3b5aa765d61d8327deb882cf994g*

It then hashes the MD5 of that whole mess to result in and even more irreversable string which is stored in the database as the user's password.

9a345e5cf815ea1c9b3f88296f7eef78


When the user enters their password, it is hashed, then salted, and hashed again - and it checks to see if that garbledegook matches the garbledegook in the database.

Put simply, it is impossible to get someone's password with a mere mod. That's what BSMedia was talking about - you can use a super computer that's constantly calculating and hashing dictionary values over a few dozen/hundred years until it finds a match - but this is a highly inefficient means of doing so.

I suppose one could also alter the login.php file to steal the password before it is hashed and either store it in the database or have it sent somewhere - but this would instantly be broken the moment they upgraded the board.






Either way, stealing your members' passwords like that is really dishonest and is a violation of computer ethics.

Zachery 03-11-2009 08:18 AM
Its not encryption, its hashing.

TigerC10 03-11-2009 08:32 AM
Quote:
Originally Posted by Zachery (Post 1765547)
Its not encryption, its hashing.
Yes, yes... And I'm aware that Darth Vader never said, "Luke, I am your father" and that Captain Kirk never said, "Beam me up, Scotty". ;) Just pointing out that you don't need to make a one liner post that makes you sound pompous for making a distinction that nobody cares about...

The terms are not mutually exclusive. Hashing is a form of encryption, a very specific form. It takes a variable length set of data (binary or text) and then spits out a fixed length known type (either binary or text - not both). Encryption is a broad scope term that means it takes one thing and turns it into another thing. Encryption can be reversable, or in some cases it's not. Either way, you're still turning one thing into another thing.

dismas 03-11-2009 08:52 AM
There was a thread about this a little while back.


All times are GMT. The time now is 01:11 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01065 seconds
  • Memory Usage 1,725KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (7)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete