Is there a way to manually locate user's passwords?

admin

(Ramith Hettiarachchi) #1

I wan’t to know whether the admin has a way to view the forum user’s passwords & other info


(Joe Seyfried) #2

Other info? Sure, all stored in the database. The passwords too, but hashed and salted - which boils down to a simple: “¡No way, señor!”


(⛰️) #3

If any user forgot their password they can retrieve it on their own.

“I forgot my password” They can click that and go through the prompts.

No admin needs to know the passwords of their users.


(Joe Seyfried) #4

s/retrieve/reset/

You really cannot “retrieve” it. But you can get the system to let you choose another one.

Very true. I would extend that to “No admin should know…”


(Ramith Hettiarachchi) #5

So can the admin decrypt it?


(Ramith Hettiarachchi) #6

Is there a way to view the database in a readable format?


(Mittineague) #7

No

Only in as much that hashes are readable


(Sam Saffron) #9

You would need to brute force the hashed password, its using PBKDF2 - Wikipedia with a rather high number of iterations so you would probably be stuck only being able to test out a handful of passwords a second.

On current computing hardware if the user picked a reasonable password you are probably looking at a few centuries of computer work.


(Jens Maier) #10

Sure, install Discourse in dev mode or, not recommended, export your production Discourse’s PostgreSQL’s port and poke a hole in your firewall, then connect with pgAdmin and have a look around.

Oh and just to illustrate @sam’s point:

This is my password. Have fun trying to decrypt that. :slight_smile:


(⛰️) #11

Don’t tempt him. We might be dealing with a Super Elite Class I Hacker.


(Jens Maier) #12

(Ramith Hettiarachchi) #13

Awesome!
what a great challenge … :slight_smile:


(Stephen) #14

It’s a hash, it’s not encrypted. Encryption is reversible, hashing is not.


(Jens Maier) #15

Depends, if you know that the cleartext is shorter than the hash blocklength, the hash is reversible. We just hope that noone ever finds an efficient (i.e. deterministic polynomial) reverse function. :wink:

Ok, “hope” is not exactly true. Cryptologists are fairly certain that for SHA2 no such function exists for current hardware.