My project requires list of all users with their password. Drupal stores these passwords after applying an MD5 hash. How can I get the original password for the user?
Asked
Active
Viewed 1.1k times
-6
-
2There is _never_ a reason to decrypt other users passwods! Additional the phrase "My project requires list of __all users with their password__" should make you _very_ skeptical – KingCrunch Apr 25 '12 at 12:02
-
5Wait, what? You want me to help you steal a bunch of usernames and passwords!? – DOK Apr 25 '12 at 12:02
-
http://stackoverflow.com/questions/3126255/how-to-output-md5-hashed-password-in-plain-text Related question... – Aleski Apr 25 '12 at 12:02
-
1kingCrunch and DOK,thanks for supporting user's privacy. But this project is not a social networking or any public website. In this project admin himself is registering users. So there might be chances of loosing user's password. So admin needs some download option where he can get all the user with their password. – Neelam Gahlyan Apr 25 '12 at 12:27
-
D6 passwords are md5 and D7 are SHA with hash FYI. No matter Drupal or whatever, hashes cannot be decrypted unless you use some web service to get the matches using their web service. And "Decryption" doesn't make sense for md5. Tell "Unhash" instead. – AKS Apr 27 '12 at 17:19
-
1possible duplicate of [Is it possible to decrypt md5 hashes?](http://stackoverflow.com/questions/1240852/is-it-possible-to-decrypt-md5-hashes) – Mechanical snail Jan 07 '13 at 23:30
2 Answers
6
MD5 is a one-way hash function. There's no non-trivial way to reverse it, which is why it (and other one-way hash functions) are used for storing passwords. However, you might be able to use rainbow tables to try to reverse the hash, but the effectiveness depends on the complexity of the password and the salt used (if one is used). Rainbow tables are also a very costly in terms of time and computational resources.
I would recommend reconsidering why you need the password. Generally, working with user passwords is a bad idea. There's probably an alternative solution out there.
Thomas Owens
- 114,398
- 98
- 311
- 431
-3
If they're already in the db - you could only get them by bruteforcing (which can really take a while; i.e. practically you can't). Other than that:
- send an email to the admin with the password upon each registration
- an additional write to a table in another db
- turn off md5 (what's it for anyway? O-)
Grigorash Vasilij
- 673
- 4
- 13
-
1
-
it depends on where the system's used; if you're using it inside your network and for an office of 10 people - what the hell...; i had a case like that once, and people were always forgetting passwords and there was no "reset password" feature – Grigorash Vasilij Apr 25 '12 at 12:07
-
1Thats an absolutely No-No completely independent from wether it's just for internal, or public usage, or wether it's for 2 or 2 Billion users. If the developer forgot to implement "reset password" thats the fault of the developer and not of the users and especially it is not a reason to expose their password! Even when he users write their passwords on a piece of paper and put it in their wallet, it's much more secure than this... – KingCrunch Apr 25 '12 at 12:12
-
1. the question was "how" and not "should i" (i believe both points are well covered); 2. even with md5 - user passwords can be exposed; it is not your super seal that will everything much safer – Grigorash Vasilij Apr 25 '12 at 12:21
-
11. "how" is irrelevant in this case. It's like explaining a child on how to steal a car. 2.a) `md5` on it's own makes it at least _much_ more time consuming (and therefore unprofitable in most cases), but usually a developer b.I) would prefer at least `sha1` and b.II) would not just hash the _unsalted_ password. -- That something is "not safe enough" does _not_ mean, that one can, or even should omit it, because "so what?" – KingCrunch Apr 25 '12 at 12:30