I am not so good at making .php files and I was wondering if someone could make me a working .php file that uses this so i can encrypt/decrypt passwords using a $salt
[php]$in_password = trim($this->request[‘PassWord’]);
$md5_password = md5($in_password);
$pass_hash = md5( md5( $salt ) . $md5_password );[/php]
can’t be done using md5(), you’d need to use sh1 or some other form of encryption.
you cant decrypt an MD5… all you can do is check if its the same…
when they sign up, convert the pass to MD5 and store… then when they login, convert the attempt to MD5 and see if it matches whats in the DB.
Understand?
Then is there a way to use that code to make a .php file with forms to enter in a new password and have it make a new MD5 and salt so i could change the password using MySQL. I run an IPB forum and sometimes the lost password recovery doesn’t work and I am looking at the ability to just make a new MD5 and salt so i can enter it into the member_pass_hash and member_pass_salt values and give them the actual password which would be something like “newpassword” and the MD5 and salt would make it so that password is correct in the MySQL database.
if its recoverable, as in it sends the current password to the user, then its not using md5 for encryption. its been a very long time since i’ve messed with invision boards, so i don’t know what they use. The better place to ask this question would be their forum.
I did and the reply i got was that the code i posted in my 1st post is what their system uses to encrypt a password but they are unwilling to help build a .php file to make a new md5 and salt using that code i posted. Here is the reply i got on their forum
Posted 18 July 2011 - 07:57 PMThe default method for hashing passwords is thus:
[php]$in_password = trim($this->request[‘PassWord’]);
$md5_password = md5($in_password);
$pass_hash = md5( md5( $salt ) . $md5_password );[/php]
And i know it was back in july of last year but I got out of the IPB scene for aswhile but i am back running a forum and need to try to get this done.
Its impossible to recover a password that’s encrypted using md5. You’d have to create them a temp password, allow them to log in using that and allow them to change to it that way.
i don’t want to recover a new password I want to use that code to make a new password all together. I would like to know if its possible using that code or something like that code to input a password and hit a button and have it spit me out the MD5 hash and the salt so i can input it into these 2 tables on my MySQL database so i can overwrite that password down the the MySQL level.
To “recover” a password you just create a “new” password. That is what they are telling you.
You have a form with all the user’s info including username and password. You put the password in a password field. When that form gets posted it is sent to a PHP file. In that file you use your form’s data to run thru the format that was given to you. You then insert the user’s info and the output from the code you posted. When the user comes back to log in, they enter the userid and password, you use the same routine with the password again. Then, you compare the two outputs, the one you saved first and the version from the new log-in. If it is the same, then it is validated and you continue. If it is not the same, they can not log in. Give them the option at this point to “recover” the password by making a new one. If they want to do that, you ask them two or three secret questions to verify they are who they say they are…
Hope that explains it all. Or you can find HUNDREDS of samples in google. SALT is just a random “seed” for the MD5 encryption. Nothing more. It’s a way to add more security to the MD5. So, here is one link that talks about it and maybe it will help further:
http://pbeblog.wordpress.com/2008/02/12/secure-hashes-in-php-using-salt/
Good luck!
I understand that but what i am asking is say my admin account gets hacked and i can’t get in to the forum to recover the forum would it be possible to use a .php file on the web server to generate a new MD5 and salt and input it into those 2 lines in the image i posted in mySQL to retake over my account without the need to go through a password recovery and just go straight to the mySQL table and edit it internally?
If you have access to the mysql server, then there’s no need to go through all that. the safest way to prevent a hostel takeover is to not use colors for different account types. If poeple don’t know you’re an admin, they can’t target you.