SMF Support > SMF 2.0.x Support

How to decrypt SMF password

<< < (2/5) > >>

Arantor:

--- Quote ---Is it really not possible to decrypt it using any sort of method?
--- End quote ---

No, it is mathematically not possible to decrypt it. That's sort of the point.

If he logs out, you can reset his email address manually in his profile... but for GMail, there's nothing he can do, he'll have to sort that out with GMail.

die2mrw007:

--- Quote from: Arantor on May 31, 2012, 08:07:58 AM ---
--- Quote ---Is it really not possible to decrypt it using any sort of method?
--- End quote ---

No, it is mathematically not possible to decrypt it. That's sort of the point.

I still do not understand what you possibly hope to achieve by decrypting it anyway (other than getting user passwords which is unethical)

--- End quote ---

This user need to have his forum password delivered which he is claiming to have forgotten.
There can be two chances here:
Either the guy is saying Truth
or the logged in user (which maybe different from the actual user) trying to get the actual user's personal gmail account login details (password).

So, I simply thought it isnt a good thing as a forum Administrator to share the password. All I should do is reset the password if circumstances arises. Hence, I replied back to the poster that I cant help him in providing RAW password but instead if required could reset the pass.

But still the question stuck into my mind, if SMF password really couldnt be read by the Administrator of the Server at any cost?

Arantor:
Yes, I realised what you were trying to do, and edited my post accordingly.

No, it is not possible to read the password, even if you're the administrator. If you're the administrator, you actually don't need the password, there is NOTHING you cannot do with that account. It is even possible, with some effort to actually log in as that user without their password if you have DB access.


It actually doesn't matter whether it's the truth or not. You can't give him the password, no matter what.

die2mrw007:

--- Quote from: Arantor on May 31, 2012, 08:24:44 AM ---It actually doesn't matter whether it's the truth or not. You can't give him the password, no matter what.

--- End quote ---
Hmmm...I agree, thats against admin ethics. :)

Arantor:
It's not just a case of ethics, it's also a security matter. However the password is encrypted, if it's reversibly so, it's still physically weaker than if it were not so.

In the case of passwords, imagine for a moment they were all stored reversibly. The key must also be on the server. If a hacker is able to gain access to your system in ANY fashion, they have the entire password list right there. The same cannot be said for hashes (though then you get into the debates over rainbow tables, while SMF's passwords are salted with the username to mitigate against it)

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version