export password to plain text

Permalink
Hi,
Is there a way to decrypt and export user passwords from the users table?

Thanks.

maartenfb
View Replies:
Mainio replied on at Permalink Reply
Mainio
Hi,

Unfortunately not, like there shouldn't be a way to do this in any software that considers security as an important criteria.

This way it's much harder for the hackers to get into your site, leaving just brute force, dictionary and password database attacks the only possible ways of hacking your users' passwords. (I'm not a software security expert, so I'm not sure if there are other methods)

The one-way formula for creating the stored user passwords in concrete5 is:
$stored = md5($originalPassword . ':' . PASSWORD_SALT);


And the PASSWORD_SALT constant is a site-specific string you can find from config/site.php.



Antti / Mainio
mkly replied on at Permalink Reply
mkly
@Manio: Yup it prevents Rainbow attacks which is only quick way to discover md5 hashed passwords.
mkly replied on at Permalink Reply
mkly
But on that note if you export the user passwords(hashed) and then import those hashed in to a new concrete5 database(directly into the tables) you can use the same salt in /config/site.php for the new site and it should still work.
maartenfb replied on at Permalink Reply
maartenfb
ok thanks for the answers.
I noticed that rainbow didn't work ;-)

The reason I'm asking is that I'm migrating users to another system.
I guess they'll just have to enter new password on first entrance.

Thanks.
TheRealSean replied on at Permalink Reply
TheRealSean
like mkly said if you copy the salt over all should work I've done it a couple of times when we changed a server and it worked well.
maartenfb replied on at Permalink Reply
maartenfb
thanks, but by an other system I actually ment a non c5 system.