How can I decrypt MySQL passwords

Question

The developer who created a platform my company uses is no longer working for us and I don't know how I can retrieve the passwords from a custom PHP application

When I look in the PHPmyAdmin the passwords are ecrypted (eg *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19)

How can I change or retrieve these?

*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 = password You're welcome! — , Aug 10 '12 at 16:40
Alvaro and user1590835 - I'm surprised no one else got that ... — jww, Dec 30 '13 at 06:55
i am too late :))) but got very good solution for this, please check the following website for Mysql password() decryptor: https://crackstation.net/ Hope this helps someone else... — Abdul Rahman, Jul 03 '17 at 08:12

score 24 · Accepted Answer · answered Apr 13 '11 at 19:55

24

If a proper encryption method was used, it's not going to be possible to easily retrieve them.

Just reset them with new passwords.

Edit: The string looks like it is using PASSWORD():

UPDATE user SET password = PASSWORD("newpassword");

answered Apr 13 '11 at 19:55

Pekka

442,112
142
972
1,088

There is no script to reset them unfortunatly – Mike Apr 13 '11 at 19:57
@Mike no need. Just run that command manually in phpMyAdmin on each user whose password you want to reset. There is no way to retrieve the original passwords without using heavy-duty cracking – Pekka Apr 13 '11 at 19:59
MD5 was cracked long ago using the birthday attack. see for your self. https://hashkiller.co.uk/md5-decrypter.aspx. The plain text password for the MD5 `2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19` is `password` . – Dr Deo Sep 21 '18 at 08:36
2

@DrDeo well,. that's not pretty right. First, MySQL use its own SHA1 and unhex combined method for password hashing. Second, MD5 has been "cracked" in a way that you can generate the same exact hash from two different inputs (because MD5's algorithm failure design). That means, an attacker could identify himself with his own generated password as the legitimate one (because he calculated the collision hash), but he can never know what the original password was. It's not reversible. Also, what you provide is just a database of already known inputs and hashes. – vegatripy Oct 02 '18 at 15:45
PASSWORD is removed since mysql 8.0.11. is there any other way to generate? – chancyWu Apr 01 '19 at 01:51
1

@chancyWu - Use this: ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyNewPass'; Docs here: https://dev.mysql.com/doc/refman/8.0/en/resetting-permissions.html – ATutorMe May 06 '21 at 02:23

score 21 · Answer 2 · edited Apr 13 '17 at 12:22

How can I decrypt MySQL passwords

You can't really because they are hashed and not encrypted.

Here's the essence of the PASSWORD function that current MySQL uses. You can execute it from the sql terminal:

mysql> SELECT SHA1(UNHEX(SHA1("password")));

+------------------------------------------+
| SHA1(UNHEX(SHA1("password")))            |
+------------------------------------------+
| 2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
+------------------------------------------+
1 row in set (0.00 sec)

How can I change or retrieve these?

If you are having trouble logging in on a debian or ubuntu system, first try this (thanks to tohuwawohu at https://askubuntu.com/questions/120718/cant-log-to-mysql):

$ sudo cat /etc/mysql/debian.conf | grep -i password
...
password: QWERTY12345...

Then, log in with the debian maintenance user:

$ mysql -u debian-sys-maint -p
password:

Finally, change the user's password:

mysql> UPDATE mysql.user SET Password=PASSWORD('new password') WHERE User='root';
mysql> FLUSH PRIVILEGES;
mysql> quit;

When I look in the PHPmyAdmin the passwords are encrypted

Related, if you need to dump the user database for the relevant information, try:

mysql> SELECT User,Host,Password FROM mysql.user;
+------------------+-----------+----------------------+
| User             | Host      | Password             |
+------------------+-----------+----------------------+
| root             | localhost | *0123456789ABCDEF... |
| root             | 127.0.0.1 | *0123456789ABCDEF... |
| root             | ::1       | *0123456789ABCDEF... |
| debian-sys-maint | localhost | *ABCDEF0123456789... |
+------------------+-----------+----------------------+

And yes, those passwords are NOT salted. So an attacker can prebuild the tables and apply them to all MySQL installations. In addition, the adversary can learn which users have the same passwords.

Needles to say, the folks at mySQL are not following best practices. John Steven did an excellent paper on Password Storage Best Practice at OWASP's Password Storage Cheat Sheet. In fairness to the MySQL folks, they may be doing it because of pain points in the architecture, design or implementation (I simply don't know).

If you use the PASSWORD and UPDATE commands and the change does not work, then see http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html. Even though the page is named "resetting permissions", its really about how to change a password. (Its befuddling the MySQL password change procedure is so broken that you have to jump through the hoops, but it is what it is).

this is a needed key to enter everything lose in mysql haha – Al Kasih Mar 06 '16 at 14:40 — Al Kasih, Mar 06 '16 at 14:40

score 10 · Answer 3 · edited Jun 09 '16 at 11:31

10

Hashing is a one-way process but using a password-list you can regenerate the hashes and compare to the stored hash to 'crack' the password.

This site https://crackstation.net/ attempts to do this for you - run through passwords lists and tell you the cleartext password based on your hash.

edited Jun 09 '16 at 11:31

Dave Hilditch

5,299
4
27
35

answered Feb 17 '14 at 10:37

Kishan Bheemajiyani

3,429
5
34
68

2

That may work for simple/common password like hello, welcome etc but not all possible combinations are part of their known list. – sactiw Mar 16 '15 at 14:44
1

Yes that is correct but all thing is making sure that you can not revert hashing. You can not have text back. – Kishan Bheemajiyani Mar 17 '15 at 19:05
any idea what kind of hashing or what encryption algorithm does password() use? – Kushagra Sep 16 '16 at 09:35
1

i tried the above website. I am unable to decrypt the password $2y$10$os3fPHLrHAGG2GkfLE0XhOjH3fI5Fmrc8rb.W3nxIC.Oxu9pX3clq) – Omkar Ghurye Aug 07 '21 at 17:34
Hash is one way so. you can try some other website. not all will have hash. let me check this still . – Kishan Bheemajiyani Aug 08 '21 at 03:48

score 4 · Answer 4 · edited Apr 04 '14 at 12:57

4

With luck, if the original developer was any good, you will not be able to get the plain text out. I say "luck" otherwise you probably have an insecure system.

For the admin passwords, as you have the code, you should be able to create hashed passwords from a known plain text such that you can take control of the application. Follow the algorithm used by the original developer.

If they were not salted and hashed, then make sure you do apply this as 'best practice'

edited Apr 04 '14 at 12:57

Rikki

1,142
15
17

answered Apr 13 '11 at 19:57

Adam Straughan

2,766
3
20
27

1

That fell dead on its face with `2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19`. But you are right, and its probably good the guy who was responsible for it is no longer there. +1 for calling out some best practices! – jww Dec 30 '13 at 06:58

score 3 · Answer 5 · answered Apr 13 '11 at 19:54

3

just change them to password('yourpassword')

answered Apr 13 '11 at 19:54

Nanne

64,065
16
119
163

2

they don't have to be encrypted? – Mike Apr 13 '11 at 19:55
1

+1, this is it. @Mike `PASSWORD()` encrypts them, check out the [manual](http://dev.mysql.com/doc/refman/5.1/en/password-hashing.html) to see how – Pekka Apr 13 '11 at 19:58
1

Use the source Mike. How does the login part of the application check your credentials when you login? – Adam Straughan Apr 13 '11 at 19:59
5

Why is this insecure? I was not really suggesting to use the actual string "yourpassword" obviously. Is the password-hash of MySQL not save enough for you? – Nanne Apr 14 '11 at 05:43

score 0 · Answer 6 · edited Mar 03 '22 at 16:21

0

You can't decrypt MySQL passwords, because the are hashed by using MD5 hash algorithm, which is not an encryption algorithm.

edited Mar 03 '22 at 16:21

greybeard

2,249
8
30
66

answered Nov 30 '12 at 23:01

macio.Jun

9,647
1
45
41

2

Which is not an **encryption** algorithm – The Onin Aug 13 '17 at 17:44
1

Thanks @NinoŠkopac for correction, encryption is a more appropriate word here. – macio.Jun Aug 14 '17 at 12:26
isnt md5 broken? – Dr Deo Sep 21 '18 at 08:28

score -1 · Answer 7 · answered May 10 '18 at 04:22

Simply best way from linux server

sudo mysql --defaults-file=/etc/mysql/debian.cnf -e 'use mysql;UPDATE user SET password=PASSWORD("snippetbucket-technologies") WHERE user="root";FLUSH PRIVILEGES;'

This way work for any linux server, I had 100% sure on Debian and Ubuntu you win.

How can I decrypt MySQL passwords

7 Answers7

Linked

Related