Is there a way to manually locate user's passwords?

I wan’t to know whether the admin has a way to view the forum user’s passwords & other info

Other info? Sure, all stored in the database. The passwords too, but hashed and salted - which boils down to a simple: “¡No way, señor!”

11 Likes

If any user forgot their password they can retrieve it on their own.

“I forgot my password” They can click that and go through the prompts.

No admin needs to know the passwords of their users.

1 Like

s/retrieve/reset/

You really cannot “retrieve” it. But you can get the system to let you choose another one.

Very true. I would extend that to “No admin should know…”

4 Likes

So can the admin decrypt it?

Is there a way to view the database in a readable format?

No

Only in as much that hashes are readable

1 Like

You would need to brute force the hashed password, its using http://en.wikipedia.org/wiki/PBKDF2 with a rather high number of iterations so you would probably be stuck only being able to test out a handful of passwords a second.

On current computing hardware if the user picked a reasonable password you are probably looking at a few centuries of computer work.

8 Likes

Sure, install Discourse in dev mode or, not recommended, export your production Discourse’s PostgreSQL’s port and poke a hole in your firewall, then connect with pgAdmin and have a look around.

Oh and just to illustrate @sam’s point:

This is my password. Have fun trying to decrypt that. :slight_smile:

6 Likes

Don’t tempt him. We might be dealing with a Super Elite Class I Hacker.

4 Likes

11 Likes

Awesome!
what a great challenge … :slight_smile:

It’s a hash, it’s not encrypted. Encryption is reversible, hashing is not.

1 Like

Depends, if you know that the cleartext is shorter than the hash blocklength, the hash is reversible. We just hope that noone ever finds an efficient (i.e. deterministic polynomial) reverse function. :wink:

Ok, “hope” is not exactly true. Cryptologists are fairly certain that for SHA2 no such function exists for current hardware.

1 Like

Not exactly, minimum default password length today is 10 for regular users and 15 for staff. A weak 10 char password wouldn’t be terribly hard to break. See data at

We still need to create a password hash version and ramp up the hash difficulty a fair bit before 2020.

3 Likes

Not against ramping up hash difficulty by 2020 at all, but the most enormous risk will remain the “previously hacked list of passwords” that is constantly expanding, hopefully by 2020 we can go for 2fa by default and at least mitigate more of this long term

4 Likes

Looks like that didn’t end up happening.

For anyone out there, don’t change your discourse instance’s password length to 8 digits, it will only lead to unhappy people. (I tested it, and if I can crack it, anyone can.)

1 Like

Actually this is mostly done, the setting enforce_second_factor is enabled by default on all new instances for staff.

Existing instances of Discourse can toggle the setting to staff.

3 Likes