How to decrypt SMF password

Started by Nitesh Kunnath, May 30, 2012, 02:00:50 PM

Previous topic - Next topic
Print
Go Down Pages1 2 All
User actions

Nitesh Kunnath

May 30, 2012, 02:00:50 PM
How to decrypt SMF password which is sha1 hash salt?
I am using hashcat program for this and have salt and hash code both. Could anyone help me?

Arantor

#1
May 30, 2012, 02:15:14 PM
It is not possible to decrypt; that's the point of hashing - it's a one way only process.
What are you hoping to achieve?

MrPhil

#2
May 30, 2012, 03:19:57 PM
The CIA or the NSA might have the computing power to get the original password back, but you're not going to. If a user forgets their password, all you can do is generate a new random one. If you want to use SMF passwords to go into some other system, your best bet is to try several different hashes on the clear text password until you find the key that fits the lock. This could be useful if you have several different sources for already-hashed passwords (some from SMF, some from MyBB, some from phpBB,...). That's all I can suggest.

Arantor

#3
May 30, 2012, 03:46:33 PM
Actually, you cannot physically get the original password back; that's the point of hashing. All you can do is keep trying other things in the same hash method to see if you get the same result at the end, there are 2^160 combinations of result within the SHA1 method, so there *are* going to be multiple strings that give you the same result once hashed, but the bottom line is you're not looking to retrieve the original password, only find something that gives you the same result.

But it doesn't matter about this stuff, knowing what die is trying to achieve is likely to get us further forward instead.

Nitesh Kunnath

#4
May 31, 2012, 08:03:23 AM
(Check attachment)
An user is running into a problem and thus I attempted to decrypt it which for now isnt my cup of tea. I googled it and found that SMF is using Sha1 hash ($salt,$pass) encryption and thus downloaded the CUI version of hashcat program. Tried a lot but it just resulted in fail attempts. Hence I thought to ask it here how exactly it could be decoded if possible. If it is not proper to say it publicly due to SMF forum software safety feature, a PM could do.

And from the message from Arantor:
QuoteIt is not possible to decrypt; that's the point of hashing - it's a one way only process.
Is it really not possible to decrypt it using any sort of method?

The best thing about SMF I like the most is, the software does 90% of what the other paid forum softwares do and an open source platform adding it to the best ever in my opinion.
The Security here in SMF is high and perfect (exception: it depends completely on the administrator of the forum who handles it how efficiently it should work)

Some Exclusive mods from SMFPacks is really an addon for SMF to compete with paid forum board software.

Arantor

#5
May 31, 2012, 08:07:58 AM
QuoteIs it really not possible to decrypt it using any sort of method?

No, it is mathematically not possible to decrypt it. That's sort of the point.

If he logs out, you can reset his email address manually in his profile... but for GMail, there's nothing he can do, he'll have to sort that out with GMail.

Nitesh Kunnath

#6
May 31, 2012, 08:17:42 AM
Quote from: Arantor on May 31, 2012, 08:07:58 AM
QuoteIs it really not possible to decrypt it using any sort of method?

No, it is mathematically not possible to decrypt it. That's sort of the point.

I still do not understand what you possibly hope to achieve by decrypting it anyway (other than getting user passwords which is unethical)

This user need to have his forum password delivered which he is claiming to have forgotten.
There can be two chances here:
Either the guy is saying Truth
or the logged in user (which maybe different from the actual user) trying to get the actual user's personal gmail account login details (password).

So, I simply thought it isnt a good thing as a forum Administrator to share the password. All I should do is reset the password if circumstances arises. Hence, I replied back to the poster that I cant help him in providing RAW password but instead if required could reset the pass.

But still the question stuck into my mind, if SMF password really couldnt be read by the Administrator of the Server at any cost?

Arantor

#7
May 31, 2012, 08:24:44 AM
Yes, I realised what you were trying to do, and edited my post accordingly.

No, it is not possible to read the password, even if you're the administrator. If you're the administrator, you actually don't need the password, there is NOTHING you cannot do with that account. It is even possible, with some effort to actually log in as that user without their password if you have DB access.


It actually doesn't matter whether it's the truth or not. You can't give him the password, no matter what.

Nitesh Kunnath

#8
May 31, 2012, 08:30:34 AM
Quote from: Arantor on May 31, 2012, 08:24:44 AM
It actually doesn't matter whether it's the truth or not. You can't give him the password, no matter what.
Hmmm...I agree, thats against admin ethics. :)

Arantor

#9
May 31, 2012, 08:35:44 AM
It's not just a case of ethics, it's also a security matter. However the password is encrypted, if it's reversibly so, it's still physically weaker than if it were not so.

In the case of passwords, imagine for a moment they were all stored reversibly. The key must also be on the server. If a hacker is able to gain access to your system in ANY fashion, they have the entire password list right there. The same cannot be said for hashes (though then you get into the debates over rainbow tables, while SMF's passwords are salted with the username to mitigate against it)

ApplianceJunk

#10
May 31, 2012, 08:36:48 AM
Why don't you just reset their password for them?

Nitesh Kunnath

#11
May 31, 2012, 08:56:24 AM
Quote from: Arantor on May 31, 2012, 08:35:44 AM
It's not just a case of ethics, it's also a security matter. However the password is encrypted, if it's reversibly so, it's still physically weaker than if it were not so.

In the case of passwords, imagine for a moment they were all stored reversibly. The key must also be on the server. If a hacker is able to gain access to your system in ANY fashion, they have the entire password list right there. The same cannot be said for hashes (though then you get into the debates over rainbow tables, while SMF's passwords are salted with the username to mitigate against it)
Oh fine, got the picture clear now :)

Quote from: ApplianceJunk on May 31, 2012, 08:36:48 AM
Why don't you just reset their password for them?
The scenario is different here. The guy needs to know his password as its same for his gmail account and he needs to recover his gmail account.
Anyways, I did a password reset for his account at my forum and replied back saying I will not be able to send the password anyway.

ApplianceJunk

#12
May 31, 2012, 09:13:35 AM
QuoteThe scenario is different here. The guy needs to know his password as its same for his gmail account and he needs to recover his gmail account.
Anyways, I did a password reset for his account at my forum and replied back saying I will not be able to send the password anyway.

I understand now. :)

Arantor

#13
May 31, 2012, 09:40:27 AM
So reset it then tell him what it is. He can then change it at his leisure.

MrPhil

#14
May 31, 2012, 09:52:10 AM Last Edit: May 31, 2012, 05:35:05 PM by MrPhil
As mentioned before, you (or your user) can reset their SMF password, which will generate a new random password (that they should change to something they can remember). There is no way to recover the original clear text password (which isn't saved anyway). As for Gmail, theirs is an entirely separate system, isn't it? Are you using something to link passwords between the two, or did your user simply choose to use the same password? By the way, that's poor security to use the same password or PIN in multiple places. If someone finds your password to one system, the first thing they'll do is try it everywhere else! For Gmail, your user will have to go through them to reset their password.

ApplianceJunk

#15
May 31, 2012, 10:28:13 AM
Seems odd that a user would claim they use the same password for your forum and gmail yet can't remember it.
Would that not be the point of someone using the same password for everything like that, so they can remember it, lol...

FrizzleFried

#16
May 31, 2012, 11:45:41 AM
The guy has 20 POSTS..  it's not like he's going to lose a life-long account with thousands of posts.  Sheesh...

Storman™

#17
May 31, 2012, 12:07:02 PM
QuoteThe guy has 20 POSTS..  it's not like he's going to lose a life-long account with thousands of posts.  Sheesh...

Think you missed the reason   :P

FrizzleFried

#18
May 31, 2012, 12:13:08 PM
Quote from: Storman on May 31, 2012, 12:07:02 PM
QuoteThe guy has 20 POSTS..  it's not like he's going to lose a life-long account with thousands of posts.  Sheesh...

Think you missed the reason   :P

I still don't really get it.  Why is it the site admins problem his user lost his gmail password?   Dumbass should have written it down or at least attached a 2nd email account to it so he could recover his password.

;)

Arantor

#19
May 31, 2012, 12:16:53 PM
Because he wanted the admin to provide the password to his forum account which is the same thing.
Print
Go Up Pages1 2 All
User actions
Advertisement: