ac-hoc report to display decrypted password

ac-hoc report to display decrypted password

Höfundur Prakash Lakhman -
Number of replies: 6
Hello,
I would appreciate anyone help. How can you display all users decrypted password using SQL query? 
currently it display encrypted password:

SELECT

u.id,

CONCAT(u.firstname,' ',u.lastname) AS full_name,

u.username,

u.email,

u.password,

organisation.data AS 'Organisation',

u.suspended 

FROM prefix_user AS u

LEFT JOIN prefix_user_info_data AS organisation on u.id = organisation.userid AND organisation.fieldid = 11

WHERE deleted = 0


Please let me know its possible or not?
Thanks

Meðaltal dóma: -
In reply to Prakash Lakhman

Re: ac-hoc report to display decrypted password

Höfundur Howard Miller -
Mynd af Core developers Mynd af Documentation writers Mynd af Particularly helpful Moodlers Mynd af Peer reviewers Mynd af Plugin developers
You can't.

That's the whole idea of an encrypted password. It cannot be reversed. If it could, it would not be secure.
Meðaltal dóma:Useful (1)
In reply to Howard Miller

Re: ac-hoc report to display decrypted password

Höfundur Prakash Lakhman -
Hi Howard, Thank you for a prompt reply.
I thought so as well but no harm asking. I think we can overcome this issue via force to change the password.
Regards
Meðaltal dóma: -
In reply to Prakash Lakhman

Re: ac-hoc report to display decrypted password

Höfundur Jerry Lau -
they use md5 hash.. if we knew the salt they use, maybe we can decrypt it.. actually it's better to use a directory service (i.e ldap or AD) to store user authentication rather than a db so it's easier to manage user access should they leave, etc.
Meðaltal dóma: -
In reply to Jerry Lau

Re: ac-hoc report to display decrypted password

Höfundur Prakash Lakhman -
Hello Jerry,
How do we find the type of salt is being used? They don't use any directory service. Really appreciate your help on this one. Thanks
Meðaltal dóma: -
In reply to Jerry Lau

Re: ac-hoc report to display decrypted password

Höfundur Mark Sharp -
Mynd af Core developers Mynd af Particularly helpful Moodlers Mynd af Plugin developers

Moodle doesn't use MD5 for passwords, it uses the default algorithm for PHP's password_hash function which looks like it's currently blowfish. Salts are automatically generated in this case.  https://www.php.net/manual/en/function.password-hash.php https://www.php.net/manual/en/password.constants.php

These passwords are one-way encrypted, so the intention is that you can't decrypt them. The only way to find out what a password is via a dictionary attack.

Meðaltal dóma: -
In reply to Mark Sharp

Re: ac-hoc report to display decrypted password

Höfundur Prakash Lakhman -
Thank you Mark,
All good, now we have to take second approached which is force to change password.

Regards Prakash
Meðaltal dóma: -