How to decrypt password in mysql?

Question

I created a user on my website but then I forgot the password. I tried to reset the password but got an error. Then I tried to see it in the database but the password was encrypted. Here's the password:

$2y$10$2bPXVJ3xkUSHJcZ1sc.bIunwJ9ROjPwkyRFfdO3pM9E0ghM7Tqyui

Does anyone know how to decrypt it?

Assorted: https://stackoverflow.com/a/59537853/2864740 , https://stackoverflow.com/a/55791618/2864740 , https://stackoverflow.com/a/6337021/2864740 , https://stackoverflow.com/a/1240869/2864740 , https://stackoverflow.com/a/28114417/2864740 (relevant answers/information in same domain, not specifically "this" implementation) — user2864740, Dec 31 '19 at 18:42
@user2864740 Those are interesting and all. But this question was about mysql. If mysql used some other form of password storage (e.g. [Windows' reversible encryption](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption)) then the answer would be different. The question is not a duplicate; although the answer might me. We won't know until the question is asked. Which is why this is a useful question. — Ian Boyd, Dec 31 '19 at 19:16
@IanBoyd This is not about the password storage provided by MySQL, but about some web application's generated passwords. I don't think we need another question asking how to reverse a hash - that topic is well covered all over books and the web. Prior research is expected here. People didn't downvote because they "don't like it". You are of course free to disagree, by casting your own upvote. — Lightness Races in Orbit, Jan 01 '20 at 16:38
@user2864740 Lol, the first link is to my answer on _this_ page ;) — Lightness Races in Orbit, Jan 01 '20 at 16:39

Lightness Races in Orbit · Answer 1 · 2019-12-30T23:24:42.020

You can't.

That's the whole point of storing it that way. You're not supposed to be able to see other people's passwords. Ever. If you can't, then hackers can't either.

Instead, focus on resolving the error with the password-reset feature.

In the interim, you could use a SQL statement to set a new password, though you may need to understand the specific application's means of storing passwords in order to get that right; it looks like a crypt_blowfish string, which means your web application is in charge of generating a hashed password for storage, and you'd have to replicate that mechanism exactly (including salts) to get it to work properly.

tadman · Answer 2 · 2019-12-30T23:18:26.353

2

You can't. That's not encrypted, it's hashed with Bcrypt and is intentionally difficult to brute-force.

This is a one-way operation. It cannot be undone.

You can either:

Update this password using an admin (root) account.
Boot your database in recovery mode which bypasses authentication checking, then reset the password. Then boot back into normal mode.

edited Dec 30 '19 at 23:18

answered Dec 30 '19 at 23:13

tadman

208,517
23
234
262

Solutions assume that this is the DB password, not an application password stored in a table. That's unlikely seeing as it's in crypt_blowfish format. – Lightness Races in Orbit Dec 30 '19 at 23:20
@LightnessRacesBY-SA3.0 I thought MySQL 8.0 switched to this format (at last!) but must have been mistaken. – tadman Dec 31 '19 at 18:14
Ah, looks like [the default since 8.0.4 is SHA2](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_authentication_plugin), though that's still not this ;) – Lightness Races in Orbit Jan 01 '20 at 16:37

Pedro Azevedo · Answer 3 · 2019-12-30T23:20:01.237

0

Well... that what is suppose to do, impossible to revert.

You can try to see what encryption you used, but you must likely try another approach:

Update your password like this:

UPDATE user SET pass = PASSWORD("newpass");

EDIT: Probably it was encrypted using this function

Or it was encrypted using MD5 (most likely) UPDATE user SET pass = MD5("newpass");

try to see what encryption was used and reproduce

edited Dec 30 '19 at 23:20

answered Dec 30 '19 at 23:15

Pedro Azevedo

111
2
13

This SQL statement makes various assumptions about how passwords are generated and stored for this particular application. – Lightness Races in Orbit Dec 30 '19 at 23:18
That's why I edited now. Hopefully he figures out what encryption was used, but it seems MD5 – Pedro Azevedo Dec 30 '19 at 23:20
2

You really should not be using MD5 any more. It was "broken" back in 2008. And it is not "encryption". – Lightness Races in Orbit Dec 30 '19 at 23:21
3

The field actually looks like [the result of crypt_blowfish](https://en.wikipedia.org/wiki/Bcrypt#Versioning_history), not MD5. [`PASSWORD()` won't create that either](https://dev.mysql.com/doc/refman/5.7/en/password-hashing.html). It seems clear that the web application is in charge of generating user password hashes for storage. – Lightness Races in Orbit Dec 30 '19 at 23:21

score 0 · Answer 4 · answered Aug 28 '21 at 09:16

0

hashcat.exe -m 3200 hash.txt rockyou.txt

I used the module 3200 and successfully decrypted 2 out of 4 hashes.

answered Aug 28 '21 at 09:16

7absec

41
4

3

Please add further details to expand on your answer, such as working code or documentation citations. – Community Aug 28 '21 at 09:57

How to decrypt password in mysql?

4 Answers4