ac-hoc report to display decrypted password

ac-hoc report to display decrypted password

by Prakash Lakhman -
Number of replies: 6
Hello,
I would appreciate anyone help. How can you display all users decrypted password using SQL query? 
currently it display encrypted password:

SELECT

u.id,

CONCAT(u.firstname,' ',u.lastname) AS full_name,

u.username,

u.email,

u.password,

organisation.data AS 'Organisation',

u.suspended 

FROM prefix_user AS u

LEFT JOIN prefix_user_info_data AS organisation on u.id = organisation.userid AND organisation.fieldid = 11

WHERE deleted = 0


Please let me know its possible or not?
Thanks

Average of ratings: -
In reply to Prakash Lakhman

Re: ac-hoc report to display decrypted password

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
You can't.

That's the whole idea of an encrypted password. It cannot be reversed. If it could, it would not be secure.
Average of ratings: Useful (1)
In reply to Howard Miller

Re: ac-hoc report to display decrypted password

by Prakash Lakhman -
Hi Howard, Thank you for a prompt reply.
I thought so as well but no harm asking. I think we can overcome this issue via force to change the password.
Regards
Average of ratings: -
In reply to Prakash Lakhman

Re: ac-hoc report to display decrypted password

by Jerry Lau -
they use md5 hash.. if we knew the salt they use, maybe we can decrypt it.. actually it's better to use a directory service (i.e ldap or AD) to store user authentication rather than a db so it's easier to manage user access should they leave, etc.
Average of ratings: -
In reply to Jerry Lau

Re: ac-hoc report to display decrypted password

by Prakash Lakhman -
Hello Jerry,
How do we find the type of salt is being used? They don't use any directory service. Really appreciate your help on this one. Thanks
Average of ratings: -
In reply to Jerry Lau

Re: ac-hoc report to display decrypted password

by Mark Sharp -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers

Moodle doesn't use MD5 for passwords, it uses the default algorithm for PHP's password_hash function which looks like it's currently blowfish. Salts are automatically generated in this case.  https://www.php.net/manual/en/function.password-hash.php https://www.php.net/manual/en/password.constants.php

These passwords are one-way encrypted, so the intention is that you can't decrypt them. The only way to find out what a password is via a dictionary attack.

Average of ratings: -
In reply to Mark Sharp

Re: ac-hoc report to display decrypted password

by Prakash Lakhman -
Thank you Mark,
All good, now we have to take second approached which is force to change password.

Regards Prakash
Average of ratings: -